The URL can be used to link to this page

Browse Search

Home My WebLink About20211313.tiffMEMORANDUM TO: Dr. Burson, Weld County Coroner DATE: September 29, 2023 FROM: Clerk to the Board's Office SUBJECT: Tyler Document #2021-1313 Final signatures were not obtained by the parties required to fully execute Tyler Document #2021- 1313, approved by the Weld County Board of Commissioners on May 17, 2021. Due to the prolonged delay in obtaining final signatures, the Clerk to the Board's Office has deemed it prudent to close this item out. This memorandum will be added to the Commissioners' files to demonstrate this document was not fully executed. 2021-1313 C00003 RESOLUTION RE: APPROVE HEALTH INFORMATION EXCHANGE PARTICIPANT AGREEMENT AND BUSINESS ASSOCIATE AGREEMENT, AND AUTHORIZE CHAIR TO SIGN - COLORADO REGIONAL HEALTH INFORMATION ORGANIZATION (CORHIO) WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to Colorado statute and the Weld County Home Rule Charter, is vested with the authority of administering the affairs of Weld County, Colorado, and WHEREAS, the Board has been presented with a Health Information Exchange Participant Agreement and a Business Associate Agreement between the County of Weld, State of Colorado, by and through the Board of County Commissioners of Weld County, on behalf of the Coroner's Office, and the Colorado Regional Health Information Organization (CORHIO), commencing upon full execution of signatures, with further terms and conditions being as stated in said agreements, and WHEREAS, after review, the Board deems it advisable to approve said agreements, copies of which are attached hereto and incorporated herein by reference. NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of Weld County, Colorado, that the Health Information Exchange Participant Agreement and the Business Associate Agreement between the County of Weld, State of Colorado, by and through the Board of County Commissioners of Weld County, on behalf of the Coroner's Office, and the Colorado Regional Health Information Organization (CORHIO), be, and hereby are, approved. BE IT FURTHER RESOLVED by the Board that the Chair be, and hereby is, authorized to sign said agreements. The above and foregoing Resolution was, on motion duly made and seconded, adopted by the following vote on the 17th day of May, A.D., 2021. BOARD OF COUNTY COMMISSIONERS WELD COUNTY, COLORADO ATTEST: daeldA) jC. o;ek, I12 Steve ' oreno, air Weld County Clerk to the Board BY: Deputy Clerk to the Board APPRO • AS u y ttorney Date of signature: OS /25 /2 - Lori Sai CC : Co(x(3), CA (KM) 09 /241/23 2021-1313 CO0003 BOARD OF COUNTY COMMISSIONERS PASS -AROUND REVIEW PASS -AROUND TITLE: Board consideration of CORHIO contracts for Coroner's Office DEPARTMENT: Coroner's Office DATE: 05/06/2021 PERSON REQUESTING: C.Blesch on behalf of Dr. Mike Burson Brief description of the problem/issue: When a death occurs, the family often needs the decedent to be available for burial or cremation very quickly. But the coroner's office is legally obligated to ascertain the manner and cause of death, which usually requires medical records to be requested from one or more hospitals and medical providers. In some cases, the need for records can cause delays in the release of a body or costly autopsies to be performed when the answers are in medical records that are not yet available. Significant staff resources are often wasted trying to find where such records may exist. On March 9, the Board approved via pass -around, the funding for the Coroner's office to move forward with this service (see attached). Now for the Board's consideration is the contract agreement for these services. What options exist for the Board? (include consequences, impacts, costs, etc. of options): As noted in the previous pass -around, there is a one-time cost of $1,500 for implementation, with $300 per month thereafter for the licenses we would need. The annual expenditure would therefore be $5,100 for the first year and $3,600 per year thereafter. The agreement has been reviewed by Karin McDougal, Assistant County Attorney. We request approval to place this Agreement on the agenda and move forward with the contract. Recommendations: That the Board approve the attached agreement to be placed on the agenda for approval and authorization for signature by the Chair Approve Recommendation Perry L. Buck Mike Freeman Scott K. James, Pro-tem Steve Moreno, Chair Lori Saine Schedule Work Session Other/Comments: (fa 2021-1313 CO00o3 BOARD OF COUNTY COMMISSIONERS PASS -AROUND REVIEW PASS -AROUND TITLE: CORHIO database access for Coroner's Office DEPARTMENT: Coroner's Office DATE: March 9, 2021 PERSON REQUESTING: Coroner Mike Burson Brief description of the problem/issue: When a death occurs, the family often needs the decedent to be available for burial or cremation very quickly. But the coroner's office is legally obligated to ascertain the manner and cause of death, which usually requires medical records to be requested from one or more hospitals and medical providers. In some cases, the need for records can cause delays in the release of a body or costly autopsies to be performed when the answers are in medical records that are not yet available. Significant staff resources are often wasted trying to find where such records may exist and chasing after them. What options exist for the Board? (include consequences, impacts, costs, etc. of options): The Board may direct us to continue as we presently function. In the alternative, the Board could allow us to subscribe to CORHIO, a non-profit database of medical records used by virtually all Front Range hospitals and larger medical practices. This database provides instant access to medical records for hospitals, doctors' offices, emergency ambulance crews and coroners. All other larger Colorado coroner's offices have already subscribed to this service and use it daily. The one-time cost is $1,500 for implementation, with $300 per month thereafter for the licenses we would need. The annual expenditure would therefore be $5,100 for the first year and $3,600 per year thereafter. Recommendation: To pay for CORHIO, we would need to prevent no more than 4 autopsies (with toxicology fees) for the entire first year; thereafter, avoiding only 3 autopsies per year would pay the ongoing fee. We believe that expenditure would improve efficiency, reduce costs and provide better service to our decedents' families. We are authorized to say that Directors Warden and Oftelie support this plan and the supple- mental appropriation of $5,100 requested to implement the first year. Thanks for your consideration. Perry L. Buck Mike Freeman Scott K. James, Pro -tern Steve Moreno, Chair Lori Seine Approve Recommendation It Schedule Work Session Other/Comments: CORHIa IL ADO REGIOIAL NEALTH IFOMAATION ORGANIZATION Health Information Exchange Participant Agreement Version January 2021 Table of Contents Recitals 1 Agreement 1 1. Definitions. 1 2. Services. 4 3. Payment. 5 4. CORHIO Policies 6 5. Obligations of CORHIO 6 6. Participant General Obligations. 7 7. Data Recipient Obligations. 8 8. Data Provider Obligations 9 9. Confidentiality 10 10. Data 10 11. License. 11 12. Warranties and Disclaimers 11 13. Limitation of Liability 12 14. Insurance. 13 15. Indemnification. 13 16. Force Majeure. 14 17. Term, Termination, and Suspension of Services. 14 18. Assignment and Change of Control. 15 19. Qualified Immunities (If Applicable) 15 20. Dispute Resolution. 16 21. Additional Provisions 16 Signature Page 18 Attachment I 19 CORHIO Services List 19 CORHIO's Healthcare Quality Improvement Team Services 21 Attachment 2 25 Terms and Conditions Applicable to CORHIO's Participation in External Networks 22 Other Attachments (available on CORHIO Website 22 ExhibitA 26 Statement(s) of Work 26 Exhibit B 27 Business Associate Agreement 27 CORHIO Participant Agreement I Oct. 2020 Version HEALTH INFORMATION EXCHANGE PARTICIPANT AGREEMENT This Participant Agreement ("Agreement") is effective as of the date of execution by both parties hereto (the "Effective Date"), by and between the Colorado Regional Health Information Organization, a Colorado nonprofit corporation ("CORHIO"), and Weld County Coroner's Office ("Participant") (each a "Party" and collectively referred to herein as the "Parties"). This Agreement supersedes and replaces any other agreement or understandings, whether oral or written, entered into between the parties with respect to the subject matter of this Agreement. RECITALS A. CORHIO is a non-profit organization dedicated to improving health and reducing healthcare costs through enhanced use of information technology and data exchange. CORHIO owns and operates a secure platform for sharing electronic health information — the Health Information Exchange ("HIE System") for use by healthcare providers, payors, other covered entities and qualified entities to whom CORHIO grants access in accordance with its policies and the law, including without limitation laws protecting the privacy and security of health information. B. Participant desires to have access to the HIE System and / or related services. C. Participants in the HIE System include Data Recipients and Data Providers, as defined below. A participant in the HIE System may be a Data Recipient, Data Provider or both. D. This Agreement sets forth the terms and conditions under which Participant, together with other health care stakeholder participants who sign an agreement in substantially the same form as this Agreement or such other form as is deemed appropriate by CORHIO (collectively, "Participants"), will access and utilize the HIE System and other applicable HIE services supplied by CORHIO to Participant as may be agreed to from time to time in statements of work attached to the Agreement. AGREEMENT In consideration of the mutual promises below and the exchange of information pursuant to this Agreement, the Parties agree as follows: 1. DEFINITIONS. 1.1 "Applicable Law" means the federal, state, and local statutes, regulations and policies that are applicable to CORHIO, Participant or a party's rights and obligations under this Agreement, including, without limitation, laws, rules and regulations applicable to the confidentiality of patient records and protected health information. 1.2. "Authorized User" means any employee or contractor of Participant or of any of the affiliates of Participant who is uniquely identified and credentialed to use the HIE System to access or receive Data for a Permitted Use. 1.3. "Authorization" shall have the meaning and include the requirements set forth at 45 C.F.R. § 164.508 of the HIPAA regulations and shall include any similar but additional requirements under Applicable Law. 1.4. "Business Associate Agreement" means the separate agreement of that name entered into by CORHIO and Participant, if applicable, pursuant to the requirements of HIPAA and incorporated herein as Exhibit B. 1.5. "Confidential Information" means information that relates to a Party's past, present, or future business activities, finances, practices, protocols, products, services, content, technical knowledge and includes, CORHIO Participant Agreement I Sept. 2020 Version 1 without limitation, business plans or methods, health plan relationships, acquisition plans, systems architecture, information systems, technology, data, computer programs and codes, processes, methods, operational procedures, budgets, sales and marketing programs, policies and procedures, customer lists, employee-, provider-, member-, patient- and beneficiary information, claims information, vendor information (including agreements, software and products), product plans, projections, analyses, plans or results, the existence of any business dealings or agreements between Participant and CORHIO, results of an audit of the security controls applicable to any Data in a party's legal custody, whether held by the party or a sub -contractor of a party at a colocation facility, and any other information which is normally and reasonably considered confidential. For purposes hereof, "Confidential Information" does not include any information that the Receiving Party can establish by convincing written evidence: (a) was independently developed by the Receiving Party without use of or reference to any Confidential Information belonging to the Disclosing Party; (b) was acquired by the Receiving Party from a third party having the legal right to furnish same to the Receiving Party without disclosure restrictions; or (c) was at the time in question (whether at disclosure or thereafter) generally known by or available to the public (through no fault of the Receiving Party. Confidential Information also does not include PHI or Data, which is subject to Applicable Law and to the separate provisions of the Agreement specific to Data, including the Business Associate Agreement (Exhibit B). 1.6. "CORHIO Policies" means CORHIO's Governing Principles and Policies adopted by CORHIO's Board of Directors and incorporated herein as Attachment 3. The CORHIO Policies contain operating rules, definitions, standards, specifications, and other terms or conditions of operation and use of the HIE System and Services. The CORHIO Policies were developed based on the recommendations of a multi - stakeholder, consensus -driven process and are updated from time to time at the recommendation of the CORHIO Policy Committee and as approved by the CORHIO Board of Directors. 1.7. "Data" means the data and information provided to, processed by, or accessible or disclosed through the HIE System or other services, including but not limited to Protected Health Information ("PHI"). 1.8. "Data Exchange" means electronically providing, receiving, or accessing Data through the HIE System. 1.9. "Data Recipient" means a Participant whose Authorized Users and systems will access or receive Data through the HIE System and Services. 1.10. "Data Provider" means a Participant that sends Data to CORHIO for access, use and disclosure through the HIE System. For the avoidance of doubt, Participants that only provide patient or member lists to facilitate CORHIO's provision of Services are not Data Providers. 111. "Dispute" means any controversy, dispute, or disagreement arising out of or relating to this Agreement. 1.12. "External Networks" means statewide, nationwide or other health information exchange networks, including but not limited to the eHealth Exchange, Colorado's Qualified Health Network, the Patient Centered Data Home network, which enable the secure exchange of health information among authorized parties, all in accordance with Applicable Law and CORHIO Policies. 1.13. Work. "Fees" means the fees due under this Agreement, as set forth in Exhibit A and/or a Statement of 1.14. "HIE System" means all software, hardware and other technology used by or on behalf of CORHIO, or any third -party vendor(s) or subcontractors of CORHIO, to provide the Services, including but not limited to the administrative, operational, and information system support services required to operate the HIE. 1.15. "HIE Operations" shall mean the obligations of CORHIO in operating the HIE, including but not limited to the following activities: 1.15.1. Facilitating Data Exchange and managing authorized requests for, and disclosures of, Data amongst Participants in the HIE for Permitted Uses; CORHIO Participant Agreement I August 2020 Version I Confidential 2 1.15.2. Creating and maintaining a master patient index; providing record locator services and performing patient matching services; 1.15.3. Processing or otherwise implementing patient consent (including Opt -Out and opt -in) requests; 1.15.4. Conducting or assisting in the performance of audits; 1.15.5. Training Participants and Authorized Users and providing support services; 1.15.6. Maintaining industry -accepted security and privacy functions; 1.15.7. Standardizing or normalizing data formats; 1.15.8. Implementing policies and other business rules to assist in the automation of data exchange; 1.15.9. Facilitating the identification and correction of errors in health information records; 1.15.10. Aggregating data from multiple Participants, including to create, update, modify, transmit, standardize, maintain, or disclose a continuity of care document; 1.15.11. Evaluating the performance of the HIE System and Services and developing new functionality of the HIE; 1.15.12. Conducting maintenance or technical system support of the HIE System or Services; and 1.15.13. Engaging in any other activities as may be required to facilitate the operation of the HIE System that are consistent with this Agreement and Applicable Law. 1.16. "HIPAA" means the Health Information Portability and Accountability Act of 1996, specifically including the Standards for Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Protected Health Information (45 C.F.R. Parts 160 and 164) as amended by the Health Information Technology for Economic and Clinical Health Act, enacted as Tide XIII, Subtitle D of the American Recovery and Reinvestment Act of 2009, including regulations published as the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules (the "Omnibus HITECH Rule"), Vol. 78 Federal Register No. 17 (January 25, 2013) and any further amendments, modification, or renumbering which occurs or takes effect during the term of the Agreement. 1.17. "Implementation" means the steps taken by the Parties to support Participant's initial connectivity to and Data Exchange through the HIE System or to enable Participant's use of Services described in Exhibit A or any associated Statement of Work. 118. "Laws" means all applicable laws, statutes, ordinances, regulations, rules, codes, treaties, directives, standards or other legal requirements. 1.19. "Live Date" means the date, following notice by CORHIO of completion of the Implementation, on which the parties agree that Participant has met the criteria established by CORHIO for access and use of the HIE System and Services. 120. "Opt -Out" means a Patient's ability to make a meaningful and informed choice to decline to have their PHI compiled in the HIE System and shared in CORHIO's clinical portal or via care summaries in accordance with CORHIO Policies. 1.21. "Patient" or "Individual" means the individual person or, if appropriate in the context in which it occurs, the Individual's legal representative, authorized to act for the Individual under Applicable Law for matters relating to Data. 1.22. "Permitted Use" 122.1. As to CORHIO, Permitted Use of Data means: (i) for HIE Operations; (ii) for the provision of Services; (iii) to permit participants to access Data through the HIE System in accordance with this Agreement, CORHIO Policies, and Applicable Law; including but not limited to for purposes of Treatment, CORHIO Participant Agreement I August 2020 Version I Confidential 3 Payment and Health Care Operations (as those terms are defined in HIPAA) of Participant and other participants in the HIE System; (iv) for uses and disclosures to a public health authority, as defined and permitted under HIPAA, if and to the extent HIPAA authorizes such disclosure by a Covered Entity (as such term is defined in HIPAA); (v) to carry out CORHIO's duties under this Agreement and/or the rules and regulations governing any External Networks in which CORHIO participates; (vi) to comply with and carry out CORI-HO's obligations under Applicable Law; (vii) to assess and articulate the value of the HIE in a manner consistent with CORHIO's mission and purposes; and (viii) to use or release data as permitted by the CORHIO Policies. 1.22.2. As to Data Recipients and Authorized Users, Permitted Use of Data means any use that is permitted or required under HIPAA, the CORHIO Policies, or other Applicable Law governing the use and disclosure of patient data, including but not limited to uses and disclosures for Treatment, Payment and Health Care Operations (as those terms are defined in HIPAA). 1.23. "Protected Health Information" or "PHI" shall have the same meaning as the term "protected health information" in 45 CFR § 160.103, as applied to the information created, received, transmitted, or maintained by CORHIO, or any third -party vendor(s) or subcontractors of CORHIO, on behalf of Participant and other HIE Participants. 1.24. "Qualified Service Organization" or "QSO" shall have the meaning given to such term under the Part 2 Regulations at 42 C.F.R. § 2.11. 125. "Services" refers to services and deliverables provided by CORHIO to Participant, pursuant to this Agreement, including Exhibit A and any additional Statements of Work. 1.26. "Service Levels" means CORHIO's then -current service levels for the operation of the HIE System made available to Participant by CORHIO. 1.27. "Statement of Work" or "SOW" means the addendum set forth in Exhibit A and any other addendum that is mutually agreed upon in writing and signed by the parties from time to time that describes Services to be provided by CORHIO to Participant including applicable Fees under this Agreement. 128. Other Terms. A defined term, indicated by capitalization of the first letter(s), not otherwise set forth above or elsewhere in the Agreement shall have the meaning stated in HIPAA or, if not defined in HIPAA, assigned by other Applicable Law. 2. SERVICES. 2.1 Services Provided by CORHIO. Subject to the terms of this Agreement, Applicable Law and CORHIO Policies, CORHIO shall provide to Participant the Services described in the Statement(s) of Work that is attached and incorporated by reference herein. To the extent of any conflict between the terms of a SOW and the body of this Agreement, this Agreement shall prevail unless the SOW specifically states otherwise. 2.2. Additional Services. If Participant desires CORHIO to perform additional services or provide additional deliverables not included in Exhibit A to this Agreement, the Parties can execute additional SOWs from time to time in a form substantially similar to Exhibit A. 2.3. Exhibits. If required, the Parties agree to comply with the requirements outlined in the following Attachments and Exhibits attached to this Agreement which are fully incorporated herein. Attachment 1: CORHIO Standard Services Attachment 2: Terms and Conditions Applicable to Exchange of Data through National HIE Networks Attachment 3: CORHIO Governing Principles and Policies Exhibit A — Statement of Work Exhibit B — HIPAA Business Associate Agreement CORHIO Participant Agreement I August 2020 Version I Confidential 4 2.4. CORHIO's Use of Subcontractors and Third -Party Vendors. CORHIO may contract with one or more subcontractors and third -party vendors to maintain and operate the HIE System or to provide the Services. CORHIO will require all subcontractors and third -party vendors to comply with the applicable terms and conditions of this Agreement, including the Business Associate Agreement between the Parties, and Applicable Law. CORHIO will be responsible for the performance of its subcontractors and third -party vendors when performing any Services under this Agreement, as if CORHIO had directly performed such Services. 2.5. Independent Contractors. CORHIO and Participant are independent contractors and nothing in this Agreement or otherwise shall be deemed or construed to create any other relationship, induding one of employment, joint venture or agency. Performance of the Services does not entitle any employees of one party to the employee benefit plans, incentive, compensation or other employee programs or policies of the other party. As between CORHIO and Participant, all software, hardware and other technology used by or on behalf of CORHIO to provide the Services and HIE System shall remain the property of CORHIO or its subcontractors and third -party vendors, and CORHIO reserves all rights in and to the technology used to provide the Services not expressly granted to Participant under this Agreement. 2.6. Cooperation. The Parties understand and acknowledge that Implementation of the Services, including the provision of access to the HIE System for Participant, require the involvement and cooperation of each Party's employees and (if applicable) agents, third party contractors, vendors or consultants. In seeking another Party's cooperation, each Party shall make all reasonable efforts to accommodate the other Party's schedules and reasonable operational concerns. A Party shall promptly report, in writing, to the other Party, any problems or issues that arise in working with the other Party's employees, agents, or subcontractors that threaten to delay or otherwise adversely impact a Party's ability to fulfill its responsibilities under this Agreement. 2.7. Implementation and Connectivity. Implementation of the Services and access to the HIE System between Participant and CORHIO's Services and the HIE System, as applicable, will be established on a mutually agreed submission schedule, and through mutually agreed means as appropriate to or in accordance with a SOW. All Data Exchange shall be in accordance with this Agreement and Applicable Law including without limitation laws related to the use and disclosure of sensitive health information. In no case shall a Party be required to disclose PHI in violation of Applicable Law. 2.8. Appropriate Use. Subject to Applicable Law, CORHIO authorizes Participant and its Authorized Users to access and use the HIE System and the Services for Permitted Purposes and only as authorized in this Agreement and in the CORHIO Policies, which may be updated from time -to -time consistent with Section 4. 2.9. Participation in External Networks. To support Participant's communications with entities that are not CORHIO Participants, CORHIO participates in one or more External Networks. Attachment 2 and the CORHIO Policies sets forth the terms and conditions that apply to the exchange of information through such External Networks. 3. PAYMENT. 3.1 Fees. 3.11. Participant shall pay CORHIO for the Services to be performed under this Agreement and use of the HIE System per the Fee schedule set forth in an applicable Statement of Work. Unless otherwise provided in a Statement of Work, CORHIO shall invoice Participant on a monthly calendar basis for Services rendered during the previous calendar month, and Participant shall pay any Fees within thirty (30) days of receipt of the invoice. 3.1.2. All Fees will be paid in U.S. dollars and are non-refundable once paid, except as otherwise provided in this Agreement. All Fees are exclusive of any taxes, and Participant (unless recognized by the applicable taxing authority as exempt from tax) agrees to pay any taxes, whether federal, state or local, or municipal that may be imposed upon or with respect to the Services or otherwise as a result of this Agreement, exclusive of taxes on CORHIO's net income. CORHIO Participant Agreement I August 2020 Version I Confidential 5 3.1.3. Except as otherwise set forth herein, Participant will be solely responsible for any other charges or expenses of its third party vendors that Participant may incur to access or use the HIE System or any other Services, including, without limitation, Internet access charges, and fees charged by third -party vendors with which Participant has contracted for products and services. 3.2. Late Payment. If Participant fails to pay any amounts due within sixty (60) days after the invoice receipt date, any amounts not paid may bear interest from the original due date until paid at the greater of 1.5% per month or the highest rate allowed by Applicable Law, together with collection costs, including reasonable attorneys' fees, incurred in enforcing this Agreement. Following a past due payment notice from CORHIO, CORHIO reserves the right to suspend the Services, including Participant's access to the HIE System, pending payment in full of all outstanding Fees. If Participant fails to pay any amounts due within one hundred twenty (120) days after the invoice receipt date, CORHIO may pursue termination of the applicable SOW, a specific Service or the entire Agreement in accordance with Section 17 ("Term and Termination") of this Agreement. 3.3. Fee Increases. Subject to the terms of a SOW, CORHIO may from time to time but no more frequently than once in any 12 -month period increase the Fees. Such an increase will be effective thirty (30) days after written notice to Participant subject to the exceptions listed in an SOW. Participant shall have the right, in accordance with Section 17, to terminate this Agreement as a result of any fee increases. 4. CORHIO POLICIES. 4.1. Compliance with CORHIO Policies. By entering into this Agreement, Participant expressly agrees to be bound by those CORHIO Policies that are applicable to Participant's business. The CORHIO Policies may be updated from time to time as set forth in Section 4.2 and are incorporated herein as Attachment 3. 4.2. Amendment of Policies. CORHIO may amend or change the Policies to accommodate the availability of new services, systems, functionality, or changes to Permitted Uses or HIE Operations, through formal action of CORHIO's Board of Directors under recommendation from CORHIO's policy committee, which is comprised of representatives from participant communities in Colorado. CORHIO will review its Policies from time to time during the term of this Agreement, including as directed by the Board. CORHIO will generally provide thirty (30) days notice to Participant before such amendment or change to CORHIO's Policies becomes effective; however, CORHIO reserves the right to provide notice of fewer than thirty (30) days should circumstances warrant. In the event of such amendment ar change by CORHIO, Participant may, at its option, terminate this Agreement within thirty (30) days of receipt of notice from CORHIO. 4.3. Other Technical Specifications. In addition to, and subject to, the CORHIO Policies, CORHIO and Participant may establish other technical specifications or other terms and conditions as to a specific SOW. 5. OBLIGATIONS OF CORHIO. 5.1. Availability of HIE System. Subject to the terms of this Agreement, CORHIO shall maintain the functionality of the HIE System for the provision and consumption of the Services in accordance with CORHIO's then -current Service Levels. CORHIO's Service Levels are available on the support and onboarding section of CORHIO's website. 5.2. Opt -Out Right. CORHIO will provide information and education to Participants that are health care providers about the right of Individuals to Opt -Out of the HIE System or to rescind a decision to Opt - Out. CORHIO shall comply with the process set forth in the Policies for enabling Individuals to Opt -Out of having their patient information compiled and shared in CORHIO's clinical portal or via care summaries. The Opt -Out right of Individuals, including the ability of Individuals to change their Opt -Out status at any time, is available through means established and implemented by CORHIO. CORHIO shall periodically review its Opt -Out process to ensure compliance with Applicable Law. 5.3. Obligations under 42 C.F.R. Part 2 as a QSO. CORHIO may act as a Qualified Service Organization on behalf of Participant in the event Participant or a unit within Participant's organization is a substance use treatment program that must comply with the Part 2 Regulations. To the extent the PHI received CORHIO Participant Agreement I August 2020 Version I Confidential 6 by CORHIO is protected by the Part 2 Regulations, CORHIO acknowledges that in receiving, storing, processing or otherwise dealing with Part 2 Data, CORHIO is fully bound by the Part 2 Regulations. If necessary, CORHIO will resist in judicial proceedings any efforts to obtain access to Part 2 Data except as permitted by the Part 2 Regulations. Participant shall not send Part 2 Data to CORHIO unless such data is clearly designated as such and CORHIO has notified Participant in writing that CORHIO can accept Part 2 Data. 5.4. Training. CORHIO shall provide or arrange for the provision of training to Participant and Participant's Authorized Users (as applicable to the Services) regarding access and use of the HIE System and Services, including without limitation training for new or additional Authorizers Users when added by Participant. 5.5. Support. CORHIO will use commercially reasonable efforts to provide technical support and respond to incidents involving access to or use of the HIE System or Services in accordance with the time frames defined in CORHIO's then -current Service Levels. Updated Service Levels shall be published on CORHIO's website or timely sent to Participant. 5.6. Security. CORHIO shall provide access to the Services and the HIE System via a secured methodology, consistent with industry standards, Applicable Law, and CORHIO's Policies, which shall incorporate end user authorization by Participant for access where applicable. CORHIO is responsible to ensure the security of its Services and shall operate the HIE System in a manner that protects the confidentiality, integrity, availability and security of Data. CORHIO will ensure encryption of Data through the use of generally accepted industry standards and methods, in no case less than is required under the Business Associate Agreement and under other applicable laws and CORHIO's Policies and Procedures. 5.7. Changes to HIE System or Services. CORHIO reserves the right to modify or make improvements to the HIE System and/or the Services, or to cease providing certain Services, at any time subject to Participant's termination rights set forth in Section 17. 6. PARTICIPANT GENERAL OBLIGATIONS. 6.1. Data Exchange. Participant agrees that its participation in any Data Exchange, and use of the Services and HIE System by it and its Authorized Users, will comply with the terms of this Agreement, CORHIO Policies, and Applicable Law. 6.2. Equipment and Software. Participant will be solely responsible, at Participant's own expense, for acquiring, installing and maintaining all hardware, software, Internet access, browser versions and other equipment as may be necessary for Participant and each Authorized User to connect to, access, or use the HIE System, as applicable, or any other Services. CORHIO will not be responsible for any delay in performing or failure to perform any Services or other obligations due to any failure by Participant to provide the resources to facilitate connectivity to the HIE System or Services. 6.3. Onboarding and Implementation. Participant agrees to comply with and participate in the requirements of CORHIO's onboarding process and acknowledges that Implementation of the Services will require multiple meetings. Participant is responsible for scheduling the Implementation with its electronic health records system vendor(s) and any resulting EHR system vendor fees. 6.4. Notice of Privacy Practices and Opt -Out. Where applicable, Participants that are clinical providers i) are responsible for updating and appropriately distributing their Notices of Privacy Practices to inform Patients of their participation in the HIE System in accordance with HIPAA and Applicable Law; and ii) are responsible for providing Patients with notice of their right to Opt -Out of having their information compiled in the HIE System and shared in CORHIO's clinical portal or consolidated care summaries in accordance with CORHIO Policies. 6.5. Participant Restrictions. Participant will not permit any Authorized User, employee or third party to: (a) alter, modify, reverse engineer, decompile, disassemble, or otherwise attempt to derive the method of operation of the HIE System or Services; (b) use the HIE System or Services for other than Participant's or CORHIO Participant Agreement I August 2020 Version I Confidential 7 the Authorized User's own business purposes; (c) use the HIE System or Services for purposes of providing outsourcing, service bureau, hosting, application service provider or online services to third -parties, or otherwise make access to the HIE System available to any third -party not related to or affiliated with Participant; or (e) use the HIE System or Services for any purpose that is illegal in any way, or that advocates illegal activity. 6.6. Responsibility for Conduct of Participant and its Authorized Users. Participant shall be solely responsible for all acts and omissions of the Participant and / or the Participant's Authorized Users, and all other individuals who access the HIE System and /or use the Services either through the Participant or by use of any password, identifier, or log -on received or obtained, directly or indirectly, lawfully or unlawfully, from the Participant or any of Participant's Authorized Users, pertaining to the use of the HIE System or Services, and all such acts and omissions shall be deemed to be the acts and omissions of the Participant. Participant is solely responsible for updating CORHIO of changes in Authorized User status, including to notify CORHIO when an Authorized User account should be suspended or terminated. 6.7. Participant Use of Data and Services. Participant will remain solely responsible for the professional and technical services provided by Participant, including all clinical or other decisions resulting from or involving any Data or the use of the HIE or other Services. CORHIO will not be responsible for any failure to validate the accuracy of any Data (including Participant Data) obtained by Participant or any Authorized User through the HIE System prior to making any such use or rendering any such decision based on such Data. Except due to the negligence of CORHIO, CORHIO will have no responsibility or liability, and Participant will not have any claim or cause of action against CORHIO, resulting from or relating to any clinical services or payment rendered or withheld based on any Data or the use of the HIE or other Services. 6.8. Lab Connectivity and Sharing of Lab Data (applicable only to Participants that employ physicians or other persons authorized to order laboratory tests under Applicable Law). Participant agrees to authorize LabCorp and Quest Diagnostics to transmit laboratory result reports to the HIE System for delivery to Participant by executing the Provider Authorization forms available on the Participant onboarding section of the CORHIO website. Participant acknowledges that other participants will have access to such results in accordance with this Agreement and Applicable Law. Participant also understands that CORHIO will not deliver the official, chartable report of laboratory testing results that complies with applicable Law or otherwise meets the Participant's needs. 6.9. Safeguards and Security Obligations. Participant will be solely responsible for the preservation, privacy, and security of all Data maintained by Participant on its own systems, including, without limitation, backup and disaster recovery. CORHIO does not provide any such services as part of the HIE System or other Services. Participant shall implement and maintain appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of the Data accessible through the HIE System, to protect it against reasonably anticipated threats or hazards, and to prevent its use or disclosure other than as permitted by this Agreement or required by Applicable Law. 6.10. Notification of Breach of Agreement. Participant will immediately notify CORHIO upon becoming aware of any breach of this Agreement, CORHIO Policies or Applicable Law and will provide reasonable assistance to CORHIO in the mitigation of any such breach by Participant or any Authorized User. 7. DATA RECIPIENT OBLIGATIONS. 7.1. Applicability. The obligations of this Section 7 apply to a CORHIO participant that is a Data Recipient. These obligations do not apply to a participant that is only a Data Provider. 7.2. Prohibited Uses. Data Recipient shall not use or permit the use of the HIE System, Services or Data for any purpose or use other than for the Permitted Uses or for any purpose or in any manner that is prohibited by HIPAA, the CORHIO Policies, or other Applicable Law. 7.3. Authorized Users. Data Recipient will identify and authenticate its Authorized Users, in accordance with this Agreement and CORHIO Policies. Authorized Users will include only those persons who require access to the HIE System to facilitate Data Recipient's use of the Data for a Permitted Use. Each Authorized User shall be individually credentialled for access to the HIE System. In accordance with Section CORHIO Participant Agreement I August 2020 Version I Confidential 8 6.5, Data Recipient is responsible to ensure its Authorized Users comply with the terms and conditions of this Agreement, CORHIO Policies and Applicable Laws and is solely responsible for all use of the HIE System by its Authorized Users. Data Recipient will assure that each Authorized User has received training on the requirements of this Agreement and CORHIO Policies that are applicable to Authorized Users before access is granted. 7.4. No Third -Party Access. Except as required by Applicable Law, Participant shall not permit any third party (other than Participant's Authorized Users) to have access to the HIE System or to use the Services without the prior written agreement of CORHIO. 7.5. Relationship with Individuals. By including an Individual on Participant's patient panel or member file that is submitted to CORHIO in conjunction with the Services (if applicable), Participant represents and warrants that it has a HIPAA-compliant treatment, payment or healthcare operations relationship with the Individual and is authorized to receive Data through the HIE System for that Individual. 8. DATA PROVIDER OBLIGATIONS 8.1. Applicability. The obligations of this Section 8 apply to a CORHIO participant that is a Data Provider. These obligations do not apply to a participant that is only a Data Recipient. Nothing in this Section or elsewhere in this Agreement is intended to or will be deemed to limit Data Provider's use of its own Data in any way. 8.2. Data Subject to Special Protection. Data Provider shall comply with all Applicable Laws governing patient consent to the use or disclosure of PHI. Data Provider agrees that, to the extent any Data is subject to special restrictions on Data Exchange or requires specific consent or Authorization from the subject Individual before being used or disclosed for or through the HIE System, such Data will not be disclosed to CORHIO unless Participant has determined that providing the Data will comply with such Applicable Law and/or Participant has obtained any required consent or Authorization from the subject Individual. Data Provider is solely responsible for determining the applicable special restrictions provided for under Applicable Law. In addition, Participant may elect not to disclose Data to the HIE that is subject to special protection. 8.3. Representation as to Data Accuracy. Data Provider shall use reasonable and appropriate efforts to assure that all Data it provides to the HIE is accurate, free from serious error, and reasonably complete. Data Provider shall cooperate with and assist CORHIO in correcting any inaccuracies or errors in the Patient Data it provides to the HIE System. Data Provider will not provide or make available any Data that it reasonably knows or reasonably should have known would violate Applicable Law or CORHIO Policy, or that it reasonably knows or reasonably should have known: (a) is an infringement, misappropriation, or violation of any intellectual property rights, publicity/privacy rights, or other rights of any third party; (b) is illegal in any way or that advocates illegal activity; (c) contains any viruses or is intended to damage, surreptitiously intercept, or expropriate the Services or HIE or any other system, data, or information; or (d) is false, inaccurate, incomplete, or not current. 8.4. Right to Use Data. Subject to the terms of the Business Associate Agreement between the Parties, Applicable Law and CORHIO's Policies, Data Provider grants CORHIO the right to use its Data for Permitted Uses. 8.5. OID Requirements. As a condition of participation in the HIE System or receipt of any Services, CORHIO requires every Data Provider to obtain and register an OID (a globally unique ISO identifier) via HL7.org so that CORHIO may accurately identify and route data to other participants. As soon as possible following execution of this Agreement and before CORHIO Implementation of Data Provider Services can commence, Participant shall provide CORHIO with its unique HL7 registered OID. 8.6. Limited Data Sets and De -Identified Data. Data Provider grants CORHIO the right to create de -identified data sets or limited data sets (as those terms are defined in HIPAA) that includes Data Provider's Data and to disclose such data sets for any purpose for which Data Provider may disclose a limited data set or de -identified data set without Individual authorization. Data Provider hereby authorizes CORHIO to enter into data use agreements for the use of limited data sets in accordance with Applicable Law and CORHIO Policies. CORHIO Participant Agreement I August 2020 Version I Confidential 9 9. CONFIDENTIALITY 9.1. Confidentiality Obligations. During the term of this Agreement, from time to time, either party may disclose (the "Disclosing Party") or make available to the other party (the "Receiving Party"), whether orally, electronically or in physical form, Confidential Information. Each party agrees that during the term of this Agreement and thereafter: (a) it will use Confidential Information belonging to the Disclosing Party solely for the purpose(s) of this Agreement; and (b) it will not disclose Confidential Information belonging to the Disclosing Party to any third party (other than the Receiving Party's employees, contractors and/or professional advisors on a need -to -know basis who are bound by obligations of nondisclosure and limited use at least as stringent as those contained herein) without first obtaining the Disclosing Party's written consent. Upon request by the Disclosing Party, the Receiving Party will return all copies of any Confidential Information to the Disclosing Party. The Receiving Party will protect all Confidential Information from unauthorized use, access, or disclosure in the same manner as the Receiving Party protects its own confidential or proprietary information of a similar nature but with no less than reasonable care, consistent with industry accepted protections. Further, both parties shall limit the number of personnel, subcontractors and agents who will have access to Confidential Information to the extent access is necessary and appropriate to the work function of individual personnel, subcontractors and agents. 9.2. Required Disclosures. These confidentiality obligations will not restrict any disclosure required by order of a court or any government agency, provided that the Receiving Party gives prompt notice to the Disclosing Party of any such order and reasonably cooperates with the Disclosing Party at the Disclosing Party's request and expense to resist such order or to obtain a protective order. 9.3. Unauthorized Use or Disclosure. If the Receiving Party becomes aware of any unauthorized use or disclosure of the Confidential Information of the Disclosing Party, the Receiving Party shall promptly and fully notify the Disclosing Party of all facts known to it concerning such unauthorized use or disclosure. 9.4. Management Uses. CORHIO may reasonably request information, including Confidential Information, from Participant for purposes of HIE System administration, operations, testing, problem identification, problem resolution, management of the health information exchange, and otherwise as may be necessary and appropriate to carry out its obligations under Applicable Law. 9.5. Injunctive Relief. The parties acknowledge and agree that the disclosure of Confidential Information may result in irreparable harm for which there is no adequate remedy at law. The parties therefore agree that the Disclosing Party may be entitled to seek an injunction in the event the Receiving Party violates or threatens to violate the provisions of this Section, and that no bond will be required. This remedy will be in addition to any other remedy available at law or equity. 10. DATA 10.1. Data Rights. Without limiting any obligation or requirement imposed by the Business Associate Agreement between the Parties and incorporated by reference herein and consistent with all Applicable Laws, neither party will use the Data except as expressly provided by the terms of this Agreement and solely to the extent that those terms are in compliance with Applicable Law. Neither Party makes any representation as to the rights held by such party, nor provides any individual with any rights, in any Data other than as permitted by this Agreement and Applicable Law and CORHIO Policies. As between Participant and CORHIO, Participant shall at all times remain the exclusive owner of Participant Data. In no event shall CORHIO claim any ownership rights with respect to Participant Data, and CORHIO shall not take any action with respect to such Participant Data that is inconsistent with this Agreement. If applicable, once Participant Data is exchanged through the HIE System subject to the terms of this Agreement, such Data may not continue as Participant's sole property. 10.2. Data Liabilities and Obligations. To the extent that the Services, as outlined in applicable SOWs, includes exchange of Data through the HIE System, the Parties acknowledge that the Data (including all Participant Data) is made available through the HIE by CORHIO on behalf of Participant and the other Participants and Authorized Users of the HIE System for Permitted Uses, and CORHIO does not have any CORHIO Participant Agreement I August 2020 Version I Confidential 10 obligation to monitor or review the content of the Data for accuracy or completeness before making the Data available through the HIE System. 10.3. Offshoring_ CORHIO will ensure that it and its employees, subcontractors, and third party vendors will not transmit Data outside the jurisdiction of the United States of America or its territories. This section will not prohibit CORHIO from releasing Data that is de -identified in accordance with 45 C.F.R. § 164.514(6) to employees or contractors outside the United States, for purposes of software development and testing on behalf of CORHIO. This section does not prohibit Participant from allowing its Authorized Users to access the HIE System for a Permitted Use while outside the United States. 11. LICENSE. 11.1. License Grant. CORHIO represents and warrants that it has obtained all necessary licenses and/or approvals to make available the Services and the HIE System to Participant under the terms and conditions of this Agreement. Before making software provided by third parties ("Third Party Software") available to Participant, CORHIO will obtain the right and ability to permit CORHIO and Participant to use the Third Party Software. During the Term, CORHIO grants Participant a royalty -free, nonexclusive, nontransferable, non -assignable, non-sublicensable and limited right to use the Services and HIE System, including any Third Party Software furnished by CORHIO, in accordance with the terms of this Agreement. Such access and use are subject to Participant's compliance with the terms and conditions set forth in this Agreement and with CORHIO's Policies. 11.2. No Sublicensing. Participant shall not sublicense, export, rent, lease, grant a security interest in, or otherwise transfer rights related to the HIE System or any component of the Services, without advance written permission from CORHIO. 11.3. No Transfer or Modification. Except as permitted under this Agreement, Participant will not sell, rent, sublicense or otherwise share its right to use the Services or the HIE System. Participant will not modify, reverse engineer, decompile, disassemble or otherwise attempt to learn the source code, structure or ideas upon which such software is based. 12. WARRANTIES AND DISCLAIMERS. 12.1. General Warranties. Each party represents and warrants to the other party that: (a) it is duly incorporated and validly existing under applicable laws and in good standing in applicable business locations as required; (b) it has all necessary right, title, license and authority to enter into and perform its obligations under this Agreement; (c) it has appropriate agreements with its employees and subcontractors to allow it to provide and / or receive the Services in accordance with the terms of this Agreement; and (d) the person signing this Agreement (including each Attachment) on behalf of each party has full authority to bind that party to the terms and conditions hereof. 12.2. Performance Warranties. CORHIO represents and warrants to Participant that it will use commercially reasonable efforts to: (a) perform the Services and do the work created under this Agreement in a competent and professional manner in conformity with all applicable laws, industry standards and reasonable Participant instructions and specifications; and (b) provide the Services in a workmanlike, professional, and ethical manner. 12.3. Disclaimers. 12.3.1. EXCEPT AS EXPRESSLY STATED IN THIS SECTION 14 ("WARRANTIES"), THE HIE SYSTEM AND ALL OTHER SERVICES DESCRIBED HEREIN, INCLUDING, WITHOUT LIMITATION, THE DATA PROVIDED THROUGH THE HIE, ARE PROVIDED "AS IS" WITHOUT REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. CORHIO DOES NOT WARRANT COMPATABILITY WITH ANY PARTICULAR HARDWARE OR SOFTWARE OR INTERCONNECTIBILITY WITH OTHER NETWORKS OR SYSTEMS, UNINTERRUPTED OR CORHIO Participant Agreement I August 2020 Version I Confidential 11 ERROR -FREE OPERATION. 12.3.2. CORHIO WILL NOT BE HELD RESPONSIBLE FOR ANY DELAY, FAILURE, INTERRUPTION, LOSS OR OTHER PROBLEM WITH ANY DATA OR THE HIE SYSTEM OR OTHER SERVICES ATTRIBUTABLE TO THE IN 1'ERNET OR PARTICIPANT'S, AUTHORIZED USERS' OR ANY THIRD PARTY'S NETWORK OR THE ABILITY TO ACCESS THE SAME, TO THE EXTENT SUCH NETWORK OR ACCESS DELAY, FAILURE, INTERRUPTION, LOSS OR OTHER PROBLEM IS NOT ATTRIBUTED TO CORHIO. 12.3.3. CORHIO MAKES NO REPRESENTATION OR WARRANTY THAT THE DATA PROVIDED BY OTHER PARTICIPANTS THROUGH THE HIE WILL BE TIMELY, CORRECT, FREE FROM ERRORS, COMPLETE, OR UNINTERRUPTED. 12.4. Not a Medical Service. CORHIO does not make clinical, medical, or other decisions. The HIE System is not a substitute for professional medical judgment applied by Participant or its Authorized Users. Without limiting any other provision of this Agreement, each Participant and the Participant's Authorized Users shall be solely responsible for all decisions and actions taken or not taken involving patient care, utilization management, and quality management for their respective patients and clients resulting from or in any way related to the use of the HIE System or the Service or the Data made available thereby. 12.5. Inaccurate Data. Without limiting any other provision of this Agreement, CORHIO and its vendors shall have no responsibility for or liability related to the accuracy, content, currency, completeness, content, or delivery of any Data either provided by a Data Provider or used by a Data Recipient pursuant to this Agreement, except to the extent that the content of such Data is distorted or corrupted as a direct result of the negligent acts or omissions or willful misconduct of CORHIO. 12.6. Other Participants and External Networks. By using the HIE System and the Services, Participant acknowledges that other participants have access to the HIE System and Services pursuant to the same or similar terms and conditions and that CORHIO relies on the assurances of its Participants and their Authorized Users of the HIE System as to their identity and the nature and purpose of their access to and use of the HIE System. Other than through reasonable enforcement of CORHIO's Participant Agreements, CORHIO Policies, and reasonable system controls, Participant acknowledges that access to and use of the HIE System and any Data (including Participant Data) by the other Participants and users of the HIE are beyond the direct control of CORHIO. Participant will not have any claim or cause of action against CORHIO resulting from or relating to any action or inaction of any other participant or user of the HIE. Participant further acknowledges that Data may also be shared with participants of External Networks in which CORHIO participates. CORHIO shall have no responsibility for the acts or omissions of any users accessing or utilizing such External Networks. 13. LIMITATION OF LIABILITY. 13.1. IN ADDITION TO ANY OTHER LIMITATIONS OF LIABILITY IN THIS AGREEMENT: (1) NEITHER PARTY WILL BE LIABLE FOR ANY SPECIAL, INCIDENTAL, EXEMPLARY, INDIRECT, PUNITIVE OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT UNDER ANY THEORY OF LIABILITY (INCLUDING NEGLIGENCE) AND WHETHER OR NOT SUCH PARTY WAS OR SHOULD HAVE BEEN AWARE OR ADVISED OF THE POSSIBILITY OF SUCH DAMAGE, INCLUDING, WITHOUT LIMITATION, LOST REVENUE OR PROFITS, LOST DATA OR INFORMATION, COSTS OF PROCUREMENT OF SUBSTITUTE SERVICES, OR INJURY TO REPUTATION, OR CLAIMS ARISING FROM ANY DELAY, OMISSIONS OR ERROR IN THE HIE, PROVISION OR RECEIPT OF DATA; AND (2) EACH PARTY'S TOTAL CUMULATIVE LIABILITY FOR ANY INJURIES, CLAIMS, LOSSES, EXPENSES OR DAMAGES RELATED TO THIS AGREEMENT WILL NOT EXCEED THE SUM PAID ON BEHALF OF, OR TO THE LIABLE PARTY, BY ITS INSURERS IN SEl'1'LEMENT OR SATISFACTION OF A CLAIM OR, IF NO SUCH INSURANCE COVERAGE IS PROVIDED WITH RESPECT TO A CLAIM, THE AMOUNTS ACTUALLY PAID TO CORHIO BY PARTICIPANT CORHIO Participant Agreement I August 2020 Version I Confidential 12 UNDER THIS AGREEMENT DURING THE TWELVE (12) MONTH PERIOD PRECEDING THE EVENTS GIVING RISE TO ANY SUCH LIABILITY. THE FOREGOING LIMITATIONS OF LIABILITY ARE INTENDED TO APPLY ONLY TO THE PARTIES TO THIS AGREEMENT AND EACH PARTY EXPRESSLY RETAINS ALL RIGHTS AND REMEDIES IT MAY HAVE UNDER THIS AGREEMENT OR UNDER APPLICABLE LAW WITH RESPECT TO ANY THIRD PARTY. 13.2. THE LIMITATIONS OF LIABILITY IN THIS SECTION SHALL NOT APPLY TO ANY CLAIMS, SUITS, LIABILITIES OR DAMAGES ARISING OUT OF OR RELATING TO ANY OF THE FOLLOWING: (I) A PARTY'S GROSSLY NEGLIGENT OR WILLFUL BREACH OF THIS AGREEMENT; OR (II) A PARTY'S GROSSLY NEGLIGENT OR WILLFUL MISCONDUCT. 14. INSURANCE. CORHIO and Participant will each purchase and maintain commercial general liability insurance, professional liability / Errors & Omissions Liability (including cyber liability) insurance coverage and such professional and general liability insurance coverage as that party deems commercially reasonable to insure itself and its officers, directors, and employees against any third party claim or cause of action arising out of its performance under this Agreement. If this Agreement is terminated for any reason, CORHIO and Participant will each either maintain its insurance coverage called for under this Section ("Insurance") for a period of not less than three (3) years, or will provide an equivalent extended reporting endorsement (a "tail policy"). Each party will provide proof of required insurance coverage to the other party upon request. The insurance coverage required under this Agreement may be provided through one or more commercial insurance policies, through a reasonably acceptable self-insurance program, or through a combination of commercial and self-insurance programs. 15. INDEMNIFICATION. 15.1. Each party (Indemnitor) will, at its expense, defend, indemnify, and hold harmless the other party, its subsidiaries, parent corporations, affiliates, officers, directors, independent contractors, shareholders, employees, agents, and successors and assigns (Indemnitees) from and against any and all claims, losses, damages, suits, fees, judgments, costs and expenses (collectively referred to as "Claims"), including attorneys' fees incurred in responding to such Claims, that the Indemnitees may suffer or incur arising out of or in connection with (a) loss of data or damages resulting from Indemnitor's failure to comply with the provisions of this Agreement or to comply with the obligations under the HIPAA BAA Exhibit, and not otherwise caused by Indemnitees' act or omission; (b) CORHIO's failure to comply with the laws applicable to the HIE System or Services; (c) Participant's or its Authorized User's breach of this Agreement, including without limitation, the unauthorized or improper use of the HIE System or the use or disclosure of Data for any purpose not permitted by this Agreement, CORHIO's Policies, or Applicable Law; (d) Indemnitor's fraud, gross negligence or willful misconduct; and (e) Indemnitor's introduction of any unauthorized material, including without limitation, a "computer virus" or other contaminant into the other party's environment. 15.2. The Indemnitees will give prompt notice of any Claim to Indemnitor, and Indemnitor will defend the Indemnitees at the Indemnitees' request. Indemnitor may settle, at its sole expense, any Claim for which Indemnitor is responsible under this Section 15 provided that such settlement shall not limit, unduly interfere, or otherwise adversely affect the rights granted herein, either party's obligations under this Agreement, Participant's obligations under its state or federal contracts, or impose any additional liability on Indemnitors. 15.3. INTELLECTUAL PROPERTY INFRINGEMENT. 15.3.1. If Participant is unable to use the Services (including without limitation HIE System) because of a claim that such use constitutes an infringement, contributory infringement, or violation of any patent, copyright, trade secret, trademark, or other third party intellectual property right ("IP Infringement Claim"), CORHIO will, at its expense: (1) procure for Participant the right to continue using such good or service; or (2) replace or modify such item so that it becomes non -infringing. If neither option is available to CORHIO through the use of commercially reasonable efforts, Participant will cease using the Service, and CORHIO will refund all fees paid for such Service. CORHIO agrees to indemnify and hold Participant and its directors, officers, employees and agents harmless during the term of this Agreement from any claim or CORHIO Participant Agreement I August 2020 Version I Confidential 13 action brought against Participant arising out of IP Infringement Claim related to HIE System and Services. 15.3.2. CORHIO's obligation under this Section 15.3 ("IP Infringement") will not extend to any IP Infringement Claim based on or arising from any: (i) use of the HIE System or Service employing hardware, software, systems, or any other configuration not authorized by CORHIO; (ii) use of the HIE System or other Services not in accordance with the terms of this Agreement or Applicable Law or Policy; or (iii) impermissible modification of the CORHIO HIE System or Services not sanctioned or approved by CORHIO. CORHIO will have no liability for an IP Infringement Claim if Participant fails to: (1) notify CORHIO in writing of the IP Infringement Claim promptly upon learning of it or otherwise receiving notice; (2) provide CORHIO with reasonable assistance requested by CORHIO for the defense or settlement (as applicable) of the IP Infringement Claim; (3) provide CORHIO with the exclusive right to control and the authority to settle the IP Infringement Claim (Participant may participate in the matter at its own expense); or (4) refrain from making admissions about the IP Infringement Claim without CORHIO's prior written consent. 15.3.3. THIS SECTION 19.3 ("IP INFRINGEMENT") STALES CORHIO's ENTIRE LIABILITY FOR IP INFRINGEMENT RELATING TO THIS AGREEMENT, OR THE SERVICES PROVIDED TO PARTICIPANT. 16. FORCE MAJEURE. As used in this Agreement, a "Force Majeure Event" means an act of God, riot, civil disorder, pandemic, or any other similar event beyond the reasonable control of a Party, provided that the event is not caused, directly or indirectly, by such Party. In the case of a Force Majeure Event, the nonperforming Party will be excused from further performance or observance of the obligation(s) so affected for as long as such circumstances prevail and such Party continues to use commercially reasonable efforts to recommence performance to whatever extent possible without delay. Any party so delayed in its performance will notify the Party to whom performance is due by telephone and in writing and will describe at a reasonable level of detail the circumstances causing such default or delay. 17. TERM, TERMINATION, AND SUSPENSION OF SERVICES. 17.1. Term. This Agreement shall begin on the Effective Date and shall continue for an initial term of one (1) year (the "Initial Term"). This Agreement will automatically renew after the Initial Term for successive one (1) year terms, unless earlier terminated as set forth below. 17.2. Termination. This Agreement may be terminated upon the following circumstances: 17.2.1. If either Party materially breaches any provision of this Agreement and fails to cure the breach within thirty (30) days after receiving written notice thereof from the non -breaching Party, the non -breaching Party may terminate this Agreement with written notice; 17.2.2. Either Party may terminate this Agreement for any reason or no reason upon sixty (60) days prior written notice to the other Party; 17.2.3. As described in Section 3 (Fees), Section 4 (CORHIO Policies), Sections 5 (CORHIO Obligations), and Section 18 (Assignment and Change in Control). 17.2.4. If either Party determines that its continued participation in this Agreement would cause it to violate any Applicable Law or would place it at material risk of suffering any sanction, penalty, or liability, then that Party may terminate this Agreement immediately upon written notice to the other Party. 17.2.5. CORHIO may terminate an SOW concurrently with the termination or suspension of any agreement with its subcontractors or third -party vendors that provide any essential component of the Services provided under that SOW, provided that CORHIO will promptly notify Participant and, upon request by Participant, will use commercially reasonable efforts to require the subcontractor or third -party vendor to cooperate with the migration of Data and applicable Services to an alternative vendor. 17.3. Suspension of Access. CORHIO may suspend access to the HIE System and any related Services for Participant or an Authorized User if necessary to ensure the stability, integrity or security of the HIE and related Services or as described in Section 3.2. CORHIO shall advise Participant or Authorized User of such CORHIO Participant Agreement I August 2020 Version I Confidential 14 suspension prior to or, if immediate action is required and prevents prior notice, promptly after, such action is taken, and shall cooperate with Participant or Authorized User to resolve the issues leading to such suspension. Participant may direct CORHIO to suspend access for a Participant's Authorized User, and CORHIO will suspend such access promptly. CORHIO's suspension of Participant's or an Authorized User's access to the HIE shall not automatically toll any Fees due hereunder. 17.4. Early Termination Fees. If Participant terminates this Agreement or an SOW after the Implementation process has begun but prior to the Live Date, then Participant is responsible for payment in full of any Implementation Fees, which are non-refundable, as set forth in the applicable SOW. 17.5. Effect of Termination. 17.5.1. Upon expiration or termination of this Agreement (or any SOW, as applicable), each Party shall, upon the request of the other: (a) return all papers, materials and properties of the other held by such Party; and (b) provide reasonable assistance in the termination of this Agreement, as may be necessary for the orderly, non -disrupted business continuation of each Party. Termination or expiration of this Agreement will not relieve either party of any rights or obligations accruing prior to such termination under this Agreement. Upon any termination or expiration of this Agreement: (a) Participant shall cease using the HIE System and any other Services; (b) CORHIO may cease providing access to the HIE System and performing any other Services; and (c) all Fees owed to CORHIO under this Agreement before or due to such termination shall be immediately due and payable (including, at minimum, the Fees due under this Agreement prorated based on Services performed by CORHIO prior to termination). 17.5.2. Return of Data. Unless an SOW or the HIPAA Business Associate Agreement states otherwise, within thirty (30) days after the expiration or termination for any reason (or to any extent) of this Agreement, CORHIO shall return or destroy all applicable Participant Data, including PHI, if feasible to do so, including all applicable PHI in possession of CORHIO's subcontractors. 17.6. Survival. Participant and CORHIO's respective obligations hereunder which by their nature would continue beyond the termination of this Agreement or expiration of any SOW, shall survive. This includes, by way of example but not limited to, the obligations provided under the Sections or Exhibits with the following headings: "Confidentiality", "Indemnification", any warranty by CORHIO, the HIPAA BAA, and to the extent applicable, any obligations stemming from state -based government funded programs that are covered under this Agreement, e.g., Medicaid, CHIP, etc. 18. ASSIGNMENT AND CHANGE OF CONTROL. Neither Party may assign its rights or obligations under this Agreement without the advance written consent of the other Party, which consent shall not be unreasonably withheld, except that CORHIO or Participant may assign the Agreement to any acquirer of all or substantially all of its assets or to the survivor in any merger or similar combination with another entity. In the event that Participant undergoes any change of control of stock, assets, or business (whether by way of merger, sale of assets, sale of stock, or otherwise) during this Agreement that results in an increase in the number of Authorized Users under this Agreement, Participant shall notify CORHIO and the parties shall negotiate within thirty (30) days of such notice to amend the Fees due under this Agreement to make such fees reasonably proportionate to such increase. In the event that the parties are unable to negotiate an amendment to the Fees within ninety (90) days, CORHIO may terminate this Agreement upon seven (7) days' notice to Participant. 19. QUALIFIED IMMUNITIES (IF APPLICABLE). This Section 19 is applicable only to Participants that are public sector entities, as described herein. The liability, if any, of Participant for damages, losses, or costs arising out of or related to acts performed by Participant pursuant to this Agreement, will be governed by the provisions of the Immunity Act and the Federal Tort Claims Act, 28 U.S.C. 2671 et seq. as applicable, as now or hereafter amended, and no provision of this Agreement, will be deemed a waiver, express or implied, of any of the immunities, rights, benefits, or protections of any applicable provisions of the Immunity Act or the Federal Tort Claims Act, as it pertains to certain public sector Participants. No Participant that is a "public entity" of the State of Colorado, as defined in Immunity Act at CRS § 24-10-103, will be obligated by this Agreement to indemnify, hold harmless, exonerate or defend, any other Participant or CORHIO for any claim CORHIO Participant Agreement I August 2020 Version I Confidential 15 or other liability, asserted or unasserted, pursuant to this Agreement. 20. DISPUTE RESOLUTION. The Parties will attempt to resolve any Dispute according to the procedure set forth in this Section 20 ("Dispute Resolution"). Upon written notice of a Dispute from either Party, each Party will appoint a senior manager or executive who will meet for the purpose of resolving the Dispute. During the thirty (30) day period following such initial meeting (or such other period as the Parties may agree in writing), the designated representatives will meet as often as reasonably necessary to negotiate in good faith in an effort to resolve the Dispute without the necessity of any formal proceeding. Notwithstanding any other provision of this Agreement, if a Dispute is not resolved by the Parties within ninety (90) days after the issuance of written notice under this provision, either Party may take any available action in law or in equity. Nothing in this provision will prevent a Party from seeking a restraining order, injunction or other equitable relief before commencing or during the foregoing informal Dispute Resolution processes. Each Party will bear its own costs and expenses, and an equal share of the administrative fees of the Dispute Resolution. 21. ADDITIONAL PROVISIONS 21.1 Auditing and Monitoring. CORHIO will have the right, but not the obligation, to monitor and audit HIE System use by Participant and its Authorized Users, including to confirm compliance with this Agreement, CORHIO Policies, and Applicable Law. Unless prohibited by Applicable Law, Participant agrees to cooperate with CORHIO in these monitoring and auditing activities. 21.2. Access Logs. Data Recipients will maintain records of access to and use of the HIE System in accordance with usual practices. CORHIO will maintain records of use of the HIE System in accordance with CORHIO Policies, provided that such Policies conform to Applicable Law and with recognized health care industry standards. Each Party will, upon request, provide the other with information from its access logs if reasonably required for the requesting Party to comply with Applicable Law. In addition, Participant will not unreasonably refuse to provide CORHIO with a copy of information from its access logs if CORHIO demonstrates a specific need for such information relating to the operation of the HIE System. CORHIO will provide Participant with information from its access logs in accordance with the requirements of the applicable Business Associate Agreement and CORHIO Policies. Information from access logs provided pursuant to this Agreement shall be treated as Confidential Information by the recipient subject to the provisions of this Agreement. 21.3. Legal and Regulatory Compliance. All Services performed under this Agreement shall be in compliance with Applicable Law and CORHIO's Policies, including but not limited to, those relating to the confidentiality, privacy, security, or other access or use of the HIE or any Data. 21.4. Antitrust Compliance. Participant agrees not to use any information or Data available through the HIE System or to which it has access under this Agreement to evaluate or set its own prices for services or products or to otherwise act in violation of state or federal antitrust laws and regulations. Participant also agrees not to discuss prices for Services with other CORHIO Participants or to make any effort collectively with other Participants to establish prices in violation of law. 21.5. Entire Agreement. This Agreement including its Attachments, Exhibits and any SOWs placed hereunder shall constitute the entire agreement between Participant and CORHIO relating to the matters specified in this Participant Agreement and supersedes all earlier representations or agreements with respect to the same matters, including any other Participant Agreement previously executed between the parties. The terms and conditions of the Attachments, Exhibits and any SOW hereunder, are integral parts of this Agreement and are fully incorporated herein by this reference. No conflicting or supplemental pre-printed provisions on CORHIO and Participant forms (including without limitation shrink wrap terms, terms on purchase orders or invoices) shall be binding on the parties. 21.6. Amendment. This Agreement may be amended from time to time as agreed upon by both Parties. Any amendment or modification to this Agreement or any duly executed SOW hereunder shall not be valid, enforceable, or binding on the Parties unless such amendment or modification (a) is a written instrument duly executed by the authorized representatives of both Parties; and (b) references this Agreement and any SOW, if CORHIO Participant Agreement I August 2020 Version I Confidential 16 applicable, and identifies the specific sections contained therein which are amended or modified. However, if an amendment of this Agreement is required for CORHIO to comply with Applicable Law or to ensure the secure and effective operation of the HIE System, CORHIO may implement the change within a time period that CORHIO determines to be reasonable under the circumstances, subject to Participant's termination rights contained herein. No oral modification or waiver of any of the provisions of this Participation Agreement is binding on either Party. 21.7. Governing Laws / Venue. This Agreement will be governed by and interpreted in accordance with the Laws of the State of Colorado without regard to the conflict of law provisions. Any action or proceeding arising from or relating to this Agreement must be brought exclusively in a state or federal court in Denver, Colorado, and each party irrevocably submits to the exclusive jurisdiction and venue of such courts. 21.8. Use of Trademarks and Trade Names. Nothing in this Agreement will be deemed to give either Party any right to use the other Party's trademarks, trade names, logos, and service marks without the other Party's prior written consent. Notwithstanding the foregoing, the Parties acknowledge and agree that CORHIO may identify Participant as participating in the HIE, including for the purposes of community planning, provider engagement, public notice of HIE participation, advisory committee activities, grant preparation or submission, and Participant may disclose its participation in the HIE. 21.9. Severability. If any provision of this Agreement is held to be invalid or unenforceable by a court of competent jurisdiction, then the remaining portions of the Agreement shall be construed as if not containing such provision, and all other rights and obligations of the Parties shall be construed and enforced accordingly. 21.10. Notices. Except as otherwise specified herein, all notices, demands or other communications hereunder shall be in writing and shall be deemed to have been duly given if delivered in person, via electronic mail or facsimile transmission, or by United States mail, certified or registered, postage prepaid, return receipt requested, or otherwise actually delivered to the appropriate party as identified in the signature block below. Nothing in this Section will prevent the Parties from communicating via electronic mail, telephone, facsimile, or other forms of communication for the routine administration of the HIE System. 21.11. No Waiver. No waiver or failure to exercise any option, right, or privilege under the terms of this Agreement on any occasion or occasions shall be construed to be a waiver of the same or any other option, right or privilege on any other occasion. 21.12. Counterparts. This Agreement may be executed in one or more counterparts, each of which shall be deemed to be an original, but all of which together will constitute one and the same instrument. Facsimile signatures and signatures transmitted by email after having been scanned will be accepted as originals for the purposes of this Agreement. [Sigtnatute Page Follows] CORHIO Participant Agreement I August 2020 Version I Confidential 17 SIGNATURE PAGE In consideration of the foregoing, the mutual covenants contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties below enter into this Agreement, effective as of the Effective Date, and agree to the terms herein: Participant CORHIO County Weld of County Weld, Coroner's Colorado Office Colorado Organization Regional Health Information By: y �e�- ey -,- By: Print Name: Steve Moreno Print Name: Title: Chair, Board of County Commissioners Title: Date: MAY 1 7 2021 Date: Contact information for all Notices due under this Agreement: Primary Address: PO BOX Greeley, 758 CO 80632-0758 4500 Cherry Denver, Creek CO 80246 South Drive, Suite 820 Primary Contact: (name title) Carl Administrative Blesch Deputy Coroner Name: Title: Outreach Melina Reyther Manager Phone: 970-400-4991 Phone: 720-285-3228 Email: cblesch@veldgov.com Email: mreyther@corhio.org EIN: 84-6000813 CORHIO Participant Agreement Sept. 2020 Version 18 G� O02 -/O02-/ f 4513 CORHIO" C(RORAfla REGICNA{ Uf;3F LATIOH ORGAOEZAMNN ATTACHMENT 1 CORHIO Services List Service • Description PatientCare aggregated and credentialed laboratories. clinical 360® The Authorized is a and web Community demographic -based Users with longitudinal Health data query from Record -based patient disparate function access view data to a portal of longitudinal sources the that portal includes such provides view as hospitals of a PatientCare 360® patient's health data as available in the _ HI K System. Add PatientCare -On Services for 360® e Single Clinical Sign Inbox -On / (allows VMS users Inbox to (a access function the in portal PatientCare from within _ 360 an allows KHR hospitals system) to send VMS a agency patient facesheet has transported from an a patient emergency to that department admission location) after an Results Delivery CORHIO Participant will PER implement inclusive and of maintain the following HL7 data interfaces from types (as selected the _ IIIK by into Participant the and as available 0 fiD e e Laboratory Admission, Pathology Radiology Transcribed in the _ Reports Reports HIE Results Discharge Reports System): and Transfer (ADT) Information Notifications CORHIO's Notification services provide member / patient -based routing of results available in the _ HI F, System to Participant via one of the following delivery methods: daily batch fies to SPIV; HL7 feed; Application Programming Interface (API) feed. CORHIO ® ,, V(Additional ADTs General COVID-19 Diabetes Cholesterol Hepatitis offers Labs Notifications i Labs - ! otification services Types are for the Being following Developed) data types: Data Sender Services e Data your microbiology discharge -ata community Sender (ADT) Sender — Hospital: test — Lab providers results, summaries / Imaging: CORHIO via radiology and HL7 transcriptions. reports, Laboratories feeds: can help laboratory, you hospital and deliver admission, Imaging pathology the following transfer Centers and can data and send to results radiology to the reports, CORHIO _ laboratory HIE; for results community and links providers to imaging to files. access, including «3 Data Sender — Cross Community Architecture (XCA): For those organizations up Data an XCA Sender unable connection. — Patient to send Centered data to the _ Data HIV Home via (PCDH): HL7 feed, CORHIO CORHIO can works set with occurred other HI1--l;s outside on PCDPI of the alerts, patients' "home" _ which notify HIK, and providers confirms a care event the availability has and ingest the Data Medicaid Participants' specific Sender CCD/care location APM — Continuity electronic referral summary of the clinical documents Clinical communications of data. Care Quality Documents for and multiple Measures care coordination (CCDs): purposes, initiative CORHIO efforts. such as or to improve can for the 19 Participant Agreement Confidential and Proprietary CORM / COLORADO RFGIEN:)..1 lEAL1U INFORMATIOR ORGARIZATIGN Patient Historyincluding CORHIO's to a database Patient of historical History clinical service data matches and Participant returns data member in the lists / patient panels timeframe increment of your choice. Patient History data may include patient demographics, ADT data admission type, sending facility, admission date/time, discharge g diagnosis, � 9 and lab and radiology data, as available in the HIE. Patient History Data win be provided to Participant via one of the delivery methods offered by CORHIO. Consolidated Summaries Care The Consolidated Care Summaries service is designed to streamline clinical decision - making, reduce information redundancies, and improve care coordination by consolidating disparate data elements available in the CORHIO HIK into a single, comprehensive CCD based on a specific trigger type, such as Filmergency Department admission. information The Service available allows in the _ HI providers K for a specific to have a single patient. view of all clinical Direct Messaging CORHIO offers HISP services and Direct Messaging addresses to qualified health care that services. providers, is not For capable providers regardless of of providing without whether HISP an EHR, they services, CORHIO use an CORHIO KHR. offers For offers a providers standalone, KHR-enabled with Web an -based EHR HISP software application called Web Direct for sending and receiving Direct messages. CIIS Reporting CORHIO developed and an CDPHK's interface that Colorado allows Immunization medical Information practices to upload System (CIIS) immunization data have from their KHRs through the HI FI; System_ Reporting immunizations to public health via CORHIO can also assist organizations in meeting quality reporting and incentive program requirements. CIIS uet°y CORHIO the CIIS thereby eliminating has enabled Registry for the functionality patient need vaccine for that providers history allows from and their practices and within electronic supporting health systems to query health records staff to go out to the CIIS Portal directly to learn of the patient's vaccine history. Public Health Reporting In addition to immunization reporting, hospitals and practices participating in the CORHIO network can leverage the HIE System to send data to or receive data from state and county health departments, including for newborn screening reporting, cancer registry reporting, syndromic surveillance and electronic lab reporting. Social Determinants of CORHIO has partnered with an organization that offers a case management and network care coordination software tool that enables Participants to refer patients to community -based organizations who can assist in the provision of care in the social Health Platform services continuum. 20 Participant Agreement Confidential and Proprietary CORN'®,. COLORADO REGIG9Ai IEMI° INC•7i;8EAlf(?tl ORGn?ii2A`.I: t CORHIO's Healthcare Quality Improvement Team Services Service Description Clinical and Value Quality -Based Reporting Care CORHIO offers electronic solutions and staff training for submitting eCQMs for providers track of CMS's participating Quality in the Alternative Payment Program. Payment Model track or the Non-APM Coding for Improved CORHIO (MCC) future healthcare coding, offers which services costs to is a risk for patients. assist -adjustment practices with model Hierarchical originally designed Condition Category to estimate Reimbursements Federal Programs Incentive and Colorado Our team can assist you with participating in Colorado grant opportunities and Federal reporting incentive programs to improve for your practice. health information exchange and quality Grant Programs EHR Replacement Adoption, and Our team is available for guidance on I-41HR vendor contract negotiations and recommendations for contract inclusions and disclosures that help avoid unexpected fees as well as best practices to optimize use of your existing system. Optimization Medical Home Recognition Hands-on assistance from NCQA Certified Content Experts to simplify the process of becoming PCMI I recognized. Telehealth Assistance Guidance with telehealth, such as setting up services, identifying appropriate visits for telehealth, and properly billing for reimbursements using the latest COVID-19 guidelines. 21 Participant Agreement Confidential and Proprietary CR lia CUiuR:,flG REGIG.'1Al :i:AjFH 13f•1Rf1,AtIQ!i ORGAIFFZATM .T L. ATTACHMENT 2 rrns and Conditions Applicable to CI•.ARHI External Networks Participation in To support Participant's communications with entities that are not CORHIO participants, CORHIO participates in the eHealth Exchange network, which facilitates health information exchange across the country. As a condition of participation in the eHealth Exchange network, CORHIO has signed the Data Use and Reciprocal Services Agreement ("DURSA") and is required to obtain Participant's agreement to comply with certain provisions in the DURSA for Participant's communications using the eHealth Exchange network. Participant agrees to comply with the following provisions when conducting Data Exchanges with the eHealth Exchange network: 1) Definitions a) "Applicable Law" means: i) for the Participants that are not Federal Participants, all applicable statutes and regulations of the State(s) or jurisdiction(s) in which the Participant operates, as well as all applicable Federal statutes, regulations, standards and policy requirements; ii) for the federal Participants, all applicable Federal statutes, regulations, standards and policy requirements. b) "Message Content" means Participant's Shared Information, Protected Health Information, de - identified data, individually identifiable information, pseudonymized data, metadata, and schema. c) "Permitted Purpose" shall mean one of the following reasons for which Participants or Participant Users may legitimately exchange Data: i) Treatment, Payment, I Iealth Care Operations, and Authorization based disclosures as defined by HIPAA; ii) Transaction of Message Content related to value based payment models, alternative payment arrangements or financial risk sharing models of any nature whether for Medicare, Medicaid, other federal programs, commercial payers or employer self -insured arrangements. This could include, but is not limited to, participation in Medicare bundled payments, the Medicare Shared Savings Program, other Medicare Alternate Payment programs, Medicaid Managed Care programs or commercial value -based payment programs; iii) Transaction of Message Content for certain specialized government functions which are necessary to fulfil- an agency's statutory obligations for programs the agency administers including, but not limited to: (i) activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission; (ii) for the purpose of the Department of Veterans Affairs determining the individual's eligibility or entitlement to benefits under the VA upon separation or discharge of the individual from military service; (iii) to determine eligibility for or entitlement to or provision of other government benefits; (iv) for activities related to eligibility for or enrollment in a health plan that is a government program; (v) for administering a government program providing public benefits, to coordinate covered functions; or, (vi) to improve administration and management relating to the covered functions of such government programs; iv) Public health activities and reporting as permitted by Applicable Law, including the HIPAA Regulations at 45 C.F.R. § 164.512(b) or 164.514(e); 22 Participant Agreement Confidential and Proprietary CORHIG COiUAIIIO AEUIC AI lEALIil iNF UAlIOU OI Aiflliil7W v) Any purpose to demonstrate meaningful use of certified electronic health record technology by the (i) Submitter, (ii) Recipient or (iii) Covered Entity on whose behalf the Submitter or the Recipient may properly Transact Message Content under this Agreement, provided that the purpose is not otherwise described in subsections 1-46 of the DURSA and the purpose is permitted by Applicable Law, including but not limited to the J-IIPAA Regulations. "Meaningful use of certified electronic health record technology" shall have the meaning assigned to it in the regulations promulgated by the Department of Health and Human Services under the American Recovery and Reinvestment Act, Sections 4101 and 4102; vi) Transaction of Message Content in support of an individual's: (i) right to access their health information or (ii) right to direct with whom their Restatement II of the Data Use and Reciprocal Support Agreement information can be shared or where their information should be sent. For the avoidance of doubt, a Participant may be prevented from disclosing information due to Applicable Law even though the individual asserts this Permitted Purpose; d) "Transact" means to send, request, receive, assert, respond to, submit, route, subscribe to, or publish Message Content. 2) Data Exchange. While Transacting Message Content in accordance with the DURSA, Participant shall: a) Comply with all Applicable Law; b) Reasonably cooperate with CORHIO on issues related to the Agreement and the DURSA, including participating in information gathering and documentation related to Participant's use of the HIE System to conduct Data Exchange with the eHealth Exchange); c) Transact Message Content only for a Permitted Purpose; d) Use Message Content received from another Participant or Authorized User in accordance with the terms and conditions of the Agreement and the DURSA; e) As soon as reasonably practicable after determining that a Breach occurred, report such Breach to CORHIO; and, Refrain from disclosing to any other person any passwords or other security measures issued to the Authorized User by the Participant. 3) Use of Data Received. With regard to Data that Participant receives through the eHealth Exchange, Participant will comply with the terms and conditions of the DURSA, at https: / /ehealthexchange.orwp-content/uploads /2019 / 11 / _ I)URSA-Restatement-II-of-the- _ ( )URSA- revised -August -13-2019- _ EXECUTABL _ K.pdf. Participants who receive Data via the eI Iealth F',xchange may retain, use and re -disclose such Data in accordance with Applicable Law and the Participant's record retention policies and procedures. 4) Protection of Passwords and Other Security Measures. Participant and its Authorized Users shall refrain from disclosing to any other person any passwords or other security measures issued to the Participant or its Authorized Users, and shall comply with all Policies related to the security of the HIE,. 5) Termination of DURSA. If CORHIO's participation in the DURSA is terminated for any reason, Participant will no longer have any right to conduct Data Vxchanges through the eHealth Exchange utilizing CORHIO connections. 6) Required Alternative Dispute Resolution. Participants shall submit any disputes related to their exchange of Protected Health Information over the eHealth Exchange to the non -binding Dispute Resolution Process as required by the DURSA 23 Participant Agreement Confidential and Proprieta y COEORAfO 4EGIGNAi IIEAt1R I`IFgRUATION ORGAlli2ATia Mandated Flow -Down Provisions for Data Exchange thrugh PCDH These additional flow -down provisions relate to the exchange of Data (as defined below) in accordance with the Patient Centered Data Home Master Collaboration Agreement (the "PCDH") entered into by CORHIO. To the extent of a conflict between these provisions and the Agreement, these provisions sha~r govern with respect to the exchange of Data through the PCDI I. These provisions are subject to change in accordance with requirements of the PCDH. 1) Definitions. Capitalized terms used but not otherwise defined in the Agreement or this Attachment shall have the meaning ascribed in HIPAA. a) "Applicable Law" means: (i) for the Participants that are not federal Participants, all applicable statutes and regulations of the State(s) or jurisdiction(s) in which the Participant operates, as well as all applicable Federal statutes, regulations, standards and policy requirements; (ii) for the federal Participants, 211 applicable Federal statutes, regulations, standards and policy requirements. b) "Data" means information that is electronica'y transmitted pursuant to the PCDI I. This information includes, but is not limited to, Protected Health Information (PHI), de -identified data (as defined in the HIPAA Regulations at 45 C.F.R. § 164.514), pseudonymized data, metadata, and schema. Confidential Information is excluded from the definition of Data. 2) While exchanging Data in accordance with the PCDH, Participant shall: a) Comply with all Applicable Law; b) Report a Breach to CORHIO; c) Refrain from disclosing to any other person any passwords or other security measures issued to Participant by CORHIO; and d) Refrain from threatening the integrity or awl ability of an interface or HIE System or the privacy and security of any information stored therein. 24 Participant Agreement Confidential and Proprietary CORHICI COLORADO REGIC'IAI ;;Alin lNF]RhlA11Qh GRGA!l1AH h ATTACHMENT 3 CORHIO POLICIES (separate attachment) Available on CORHIO's Website at https://www.corhio.org/onboarding ATTACHMENT 4 LABCORP AND QUEST DIAGNOSTICS PROVIDER AUTHORIZATION FORMS (See Separate attachment if applicable to Participant) Available on CORHIO's Website at https://wwwacorhio.org/onboarding 25 Participant Agreement Confidential and Proprietary CORHI®M COLORADO REGIONAL DEATH INFORMATION ORGANIZATION EXHIBIT A Statement(s) of Work (See Separate Attachment(s)) 26 Participant Agreement Confidential and Proprietary CORHI TM C0L0R,AUC REGIcNAI -1EA11H INFgRf!AiION 0RGMNiZ,HIGN EXHIBIT B Business Associate Agreement (separate attachment) 27 Participant Agreement Confidential and Proprieta y CORHIOM C LURAFtii R{J2tOtUAi. ittAti14 INFWIMAi RIti UNGAlii2AHH Statement of Work PatientCare 3600TM Web -Based Portal Per Authorized User This Statement of Work No. 1 ("SOW') is a binding contract between the parties and is hereby made a part of, and incorporated by reference into, the Participant Agreement ("Agreement") by and between CORHIO and the entity listed below ("Participant") and subject to all the terms and conditions contained therein. The SOW is effective upon execution by both parties ("SOW hffective Date"). It wi.. supersede and control over any contradictory terms set forth in the Agreement with respect to the services set forth herein and will be deemed to have augmented and modified the rights and obligations of the parties under the Agreement to the extent necessary to give each provision of this SOW full force and effect. Following this SOW, all references to the term "Agreement" in the Agreement will include the terms and conditions of the Agreement and this SOW, for the term of this SOW, as herein defined. Party: PARTICIPANT CORHIO Name: County of Weld, Colorado Colorado Regional Health Information Organization Weld County Coroner's Office Primary PO Greeley, BOX 758 CO 80632-0758 4500 Cherry Creek South Drive, Suite 820 Address: Denver, CO 80246-1518 Primary Contact: Carl Blesch Name: Tide: Phone: Melina Outreach 720-285-3228 Reyther Manager Administrative Deputy Coroner Phone: 970-400-4991 N:mail: cblesch@weldgov.com Email: mreyther@corhio.org Effective date of Participant Agreement with CORHIO: In consideration of the foregoing, the parties agree as follows: DEFINITIONS. The capitdized terms used in this Master SOW will have the definitions provided in this SOW or, if not provided in this SOW, in the Agreement. a. "Account" means the mechanism through which access to the Services is provided by CORHIO to an individual Authorized User, utilizing a unique Account login. Mach Account will be assigned to, and may only be utlized by, a single Authorized User. b. "Authorized User" has the same meaning in the Agreement and means an employee or contractor of Participant or any Participant affiliate who is uniquely identified and credentialed with an Account to access the PatientCare 360 Services, pursuant to Participant's specific request to CORHIO. c. "Implementation" means the installation and initial testing of the services described in this SOW. 2. COMPLIANCE WITH LAWS AND POLICIES. This SOW and the rights and obligations of the parties hereunder are made subject to, and each party will at all times comply with, a Policies. CORHIO PatientCare360® SOW applicable Laws and Page 1 (v. Sept. 2020) 3. SERVICES. Subject to the terms of this Agreement, CORHIO will use commercially reasonable efforts to provide the following Services: Table A: Summary of Service Service Requested Description PatientCare 360® Web -Based Portal PatientCare360® is a web -based longitudinal patient view including aggregated clinical and demographic data from disparate health systems' available data sources. The Community Health Record function of the portal provides Authorized Users with query -based access (including break the glass capability to access additional patient records with appropriate permissions) to a longitudinal view of a Patient's health data as available in the HIE System. Data sources include: • Demographic and face sheet data • Lab and pathology results in several formats • Encounter documentation including transcribed notes, provider encounter date, and insurance information • Radiology and imaging results and reports • Allergies • Medical Diagnosis and Problems List with Dates (if sent) • Medical Treatments and Procedures with Dates (if sent) • Past Hospitalizations with Dates • Ability to query for Continuity of Care Documents (CCD) from a connected data sender Table B: Summary of CORHIO's Implementation Services Service Requested Project & Implementation Management Description CORHIO will assign a. project manager to oversee Implementation planning, scheduling and execution. The project manager will be the first point of contact for Participant during Implementation. CORHIO Project Manager and Participant will jointly be responsible for managing the project schedule, risks, and issues. Healthcare Quality Improvement Consulting (Optional) For an additional hourly fee, CORHIO's Healthcare Quality Improvement team is available to provide consulting support services to Participant's staff to assist in integrating new CORHIO HIE Services into staff workflow. Authorized User Training All Authorized Users identified on the Authorized User request form will receive credentials to online training modules from CORHIO that are available for 6 months. Escalation Contact CORHIO shall make available a point of contact for escalation of issues or concerns during the Implementation. Ongoing Maintenance, Support Desk, & Monitoring Support CORHIO will provide routine maintenance, support desk and system monitoring services for the Patient History product in accordance with the terms of the Agreement and CORHIO's then -current Service Levels. CORHIO PatientCare360® SOW Page 2 (v. Sept. 2020) 4. PARTICIPANT OBLIGATIONS. In addition to the obligations set forth in the Agreement and subject to the terms and conditions thereto, Participant agrees to do the following in support of the Services described in this SOW: a. Planning and Resource Coordination. i. Participant shall coordinate internal resources required for the implementation work to proceed. Participant acknowledges that implementation of the Services will require multiple meetings and that CORHIO can only proceed with participation from the Participant. ii. Participant agrees to provide a point of contact (POC) for outage information as well as a HIPAA Compliance or Privacy Officer. Participant agrees to notify CORHIO within fourteen (14) days of any changes to these roles. b. Notice of Participation. Participant is responsible for updating and appropriately distributing their Notices of Privacy Practices to inform Patients of their participation in the HIE System in accordance with HIPAA and Applicable Law. Participant is responsible for providing Patients with notice of their right to Opt -Out of having their information compiled and shared in PatientCare 360 and must appoint an individual, or individuals, within the organization to manage the Patient Opt -Out process. c. Authorized User Accounts for PatientCare360® Access. i. Access. Access to the HIE System and Services will be provided only to Authorized Users. Participant will provide all information requested by CORHIO, including a unique email address, in connection with the establishment of each Account, which may be used only by the Authorized User of the applicable Account. Participant is responsible for requiring all Authorized Users to meet the requirements of this SOW and applicable Policies and Laws for access to the HIE System and Services. Participant will ensure the security and confidentiality of each Account and the associated login credentials and will notify CORHIO immediately if any Account login credentials are lost, stolen, or otherwise compromised. ii. User Authentication. CORHIO provides access to the Services via secured methodology. Consistent with industry standards and best practices, CORHIO is incorporating multi -factor authentication for access to the Services by all Authorized Users that access PatientCare 360 through the web portal (n/a for those using single sign -on through Participant's EHR). Following Implementation and on a schedule that is mutually agreeable to CORHIO and Participant (in no case to exceed three (3) months), all Authorized Users of Participant that access PatientCare 360 through the web portal will be trained on and required to install and utilize a software application that will be used to validate Authorized User identity. Training. Each Authorized User will complete all training regarding the use of the HIE System and Data required by CORHIO, and Participant will certify that each Authorized User has completed all such training and signed the Appropriate Uses & Disclosures form, a sample of which has been provided as Attachment 1. iv. Changes in Authorized User Status. Participant is responsible for initiating, updating, removing or suspending access of its Authorized Users to the HIE System in compliance with applicable Laws and Policies and the Agreement. Participant shall notify the CORHIO Helpdesk immediately of any changes in the status of any Authorized User (or their ability to access the HIE System or Services) as set forth in the applicable Policies, including but not limited to employee departures or terminations. d. Participant is fully responsible for all fees, liabilities, and damages incurred through use of each Account (whether lawful or unlawful) and any activity completed through any Account will be deemed to have been completed by Participant. CORHIO PatientCare360® SOW Page 3 (v. Sept. 2020) 5. FEES AND INVOICING. a. The following Fees are payable to CORHIO by Participant and will be added to other Fees due under the Agreement. i. PatientCare 360 Implementation Fee: (when purchased stand-alone without the purchase of CORHIO's Results Delivery Service). $1500.00. ii. Subscription Fees: l\Tumber of. " Users PatientCare360 ' Monthly Cost PatientCare360 Annual Billing Cycle 1-5 $150 $1,800 Annual 6-10 $225 $2,700 Annual 11-15 $390 $4,680 Quarterly 16-20 $510 $6,120 Quarterly 21-25 $690 $8,280 Quarterly 26-30 $840 $10,080 Quarterly 31-35 $990 $11,880 Quarterly 36-40 $1,140 $13,680 Quarterly 41-45 $1,290 $15,480 Quarterly 46-50 $1,110 $17,280 Quarterly 51-60 $1,650 $19,800 Quarterly 61-70 $1,950 $23,400 Quarterly 71-80 $2,250 $27,000 Quarterly 81-90 $2,550 $30,600 Quarterly 91-100 $2,850 $34,200 Quarterly 100 plus $3,000 $36,000 Quarterly * The pricing set forth in this Section is valid for 90 days from Participant's receipt of this SOW. If the SOW is not executed within 90 days of receipt, then CORHIO reserves the right to adjust the pricing for the Services b. Invoicing. i. CORHIO will issue electronic invoices to Participant for the Services. Participant shall provide an email address to CORHIO for electronic invoicing and shall update CORHIO within 14 days of any change in email address. If Participant requests paper billing, Participant shall provide CORHIO with proper mailing address and contact information. u. Implementation Fees. 1. Unless waived, CORHIO will invoice Participant 50% of the Implementation Fees within 30 days of the SOW Effective Date and the remaining 50% of the Implementation Fees within two weeks of Implementation of the Services or CORHIO PatientCare360® SOW Page 4 (v. Sept. 2020) six months after SOW Effective Date (whichever is earlier). Payment is due within 30 days of receipt of invoices and is non-refundable. 2. Use of Colorado Care Connections Program Funding to cover Implementation Fees is subject to availability. If the programs are discontinued or the funds are no longer available at the time that Participant seeks to set-up and implement the Services identified herein, then Participant shall be responsible for covering the one-time implementation Fees. Subscription Fees. User Fees for Authorized User access to the HIE System will be bred starting the first day following access by an Authorized User to the HIE System. Fees are calculated based on the number of Authorized Users at the time of contract execution. The number of Authorized Users will be reviewed at least annually with the practice and pricing will be adjusted upon that review. 6. DISCLAIMER. CORHIO IS NOT RESPONSIBLE FOR ANY FAILURE TO COMPLETE OR TIMELY PERFORM THE SERVICES THAT IS SUBTANSTIALLY CAUSED BY TI I _ E PARTICIPANT'S FAILURE TO MEET THE EXPECTATIONS SET FORTH HEREIN, INCLUDING FAILURE TO ALLOT APPROPRIATE TIME AND RESOURCES FOR IMPLEMENTATION AND TESTING. CORHIO IS NOT RESPONSIBLE FOR ANY FAILURE BY PARTICIPANT TO FULFILL THE OBLIGATIONS SET FORTI I HEREIN, INCLUDING RELATED TO ACCESS TO THE HIE SYSTEM AND SERVICES VIA ACCOUNTS ISSUED BY CORHIO OR BY AUTI IORIZ _ ED USERS. 7m TERM. This SOW shall remain in effect consistent with terms of the Participant Agreement and may be extended or renewed in writing for subsequent one-year terms subject to the negotiation of applicable fees. The Services described in this SOW may be terminated as described in the Participant Agreement or upon 90 days' prior written notice to the other party. 8. This SOW may be executed in one or more counterparts, duplicate originals, or facsimile versions, each of which will be deemed an original, but all of which together will constitute one and the same instrument. By signatures of their duly authorized representatives, the Parties hereby agree to be bound by the terms of this SOW. �'' b Board For County Weld y and Participant: County of of thru Weld, Coroner's ommissioners Colorado the Weld Office County For Colorado Organization CORI-CIO: Regional Health Information• Signed: Signed: yi L a,,I., ten -0----;° Name: Name: Steve Moreno Tide: BOCC, Chair Title: Date: Date: SAY 1 7 2021 CORHIO PatientCare360® SOW Page 5 (v. Sept. 2020) 2 CORHIO PatientCare360® SOW Page 6 (v. Sept. 2020) Authorized User Signature Attachment 1 Appropriate Uses & Disclosures As a condition of being an Authorized User of CORHIO's PatientCare360© Health Information Exchange Portal, I agree to abide by the following terms and conditions: 1. I will not disclose my account credentials (username and password) to anyone. 2. I will not allow anyone to access the HIE System using my username and password. 3. I will not attempt to learn or use another's username and password. 4. I will not access the HIE System using a username and password other than my own. 5. I am responsible and accountable for all data retrieved and all entries made using my username and password. 6. If I believe the confidentiality of my username and password has been compromised, I will immediately notify the CORHIO help desk (helpdeskcorhio.org or 720-285-3277) so that my password can be changed. 7. I will not leave my computer unsecured while logged into the HIE System. 8. I will treat data available to me through the HIE System confidentially, as required by the Health Insurance Portability and Accountability Act and its implementing regulations (HIPAA). I will not disclose any confidential information unless required to do so within the official capacity of my job responsibilities, and then only limited to parties with a legitimate need to know. 9. I will not access, view, or request information regarding anyone with whom I do not have a clinical relationship, or a need to know in order to perform my job, including my own data. 10. I acknowledge that my use of the HIE System will be routinely monitored to ensure compliance with this agreement. 11. I further acknowledge that if I violate any of the terms as stated above, I am subject to loss of HIE System privileges, legal action, and/or any other action available to CORHIO. Name (Print): Steve Moreno Chair, Board of Weld Title: County Commissioners Organization: Weld County Coroner's Office Date: MAY 1 7 2021 CORHIO PatientCare360® SOW Page 7 (v. Sept. 2020) 3/O C RHIff 4EGIOIIAt NEALTii ® it FORNd=T14't 3TiGANIZA IW BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ("Agreement") is entered into as of the date of execution by both parties (the "Effective Date"), by and among Weld County Coroner's Office acting as a Covered Entity ("Covered Entity") and the Colorado Regional Health Information Organization, a Colorado nonprofit corporation, with an address of 4500 Cherry Creek South Drive, Suite 820, Denver CO 80246, acting in the capacity as a Business Associate or Subcontractor Business Associate ("CORHIO" or "Business Associate") (collectively referred to herein as the "Parties"). This Agreement supersedes any prior Business Associate Agreement between or among the Parties. RECITALS WHEREAS, CORHIO governs and operates a Colorado, state-wide health information exchange ("HIE") through which Covered Entity and other participants will transmit or receive Protected Health Information (referred to herein as "PHI" and defined below) and other information to CORHIO, acting in the capacity as a common Business Associate or Subcontractor Business Associate; WH _ FREAS, CORHIO and Covered Entity have entered into a written agreement and may in the future enter into additional written agreements, including one or more statements of work, pursuant to which CORHIO may, on Covered Entity's behalf, access, use, create, receive, transmit, maintain, and/or disclose PHI (the "Participant Agreement"); WHEREAS, Covered Entity and CORHIO intend to protect the privacy and provide for the security of PHI disclosed to CORHIO and comply with the requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the Health Infoiniation Technology for Economic and Clinical Health Act, Public Law 111-005 ("I JITECH Act"), and the final regulations to such Acts that the U.S. Department of Health and Human Services ("HHS") has promulgated and set forth in 45 CFR Parts 160, 162, and 164 (collectively, the "HIPAA Rules"); WHEREAS, the Parties acknowledge that this Agreement shall supplement and / or amend the Participant Agreement only with respect to CORHIO's access, use, creation, receipt, transmittal, maintenance or disclosure of PI II and supersedes any prior Business Associate Agreement between the parties; WI I _ KREAS, the participants in HIE do not become Business Associates of each other by virtue of this Business Associate Agreement. NOW THEREFORE, in consideration of the mutual promises below and the exchange of information pursuant to this Agreement, the Parties agree as follows: 1. DEFINITIONS. A. "Applicable Law" means HIPAA, the HITS CH Act, the HIPAA Rules, as well as applicable state law. B. "Breach" shall have the meaning given to such term at 45 C.F.R. § 164.402. C. "Discovery" shall mean the first day on which an Incident (as defined herein) is known to Business Associate (including any person that is an employee, officer, or Subcontractor of Business Associate), or should reasonably have been known to Business Associate, to have occurred. D. "Incident" shall have the meaning provided under Section II.F. E. "Individual" shall have the same meaning as the term "Individual" in 45 C.F.R. §160.103 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. §164.502(g). F. "Protected Health Information" or "PHI" shall have the same meaning as the term "Protected Health Information" in 45 C.F.R. §160.103, limited to the information created, received, transmitted, or maintained by Business Associate on behalf of or for Covered Entity. For purposes of this Agreement, I CORHIO Master BAA. (Updated June 2020) CORHIO. OLO$ AD,] 3E51fl IAI HEALTH :LFOR I??I B l8G7Ai*ILAIIOi "Protected Health Information" or "PHI" shall collectively refer to Protected Health Information, Electronic Protected Health Information ("ePHI") as defined in 45 C.F.R. § 160.1 03, and "Personal Information" as defined below. G. "Personal Information" or "PI", also known as "Personally Identifiable Information," "Personal Data," and similar terms, shall have the meaning provided under state law. For purposes of this Agreement, Personal Information shall include any data elements that identify an individua" or that could be used to identify an individual, including but not limited to an individual's first name or initial and last name in combination with one or more of the following data elements: social security number; driver's license or state issued identification number; credit or debit card number; medical information (such as an individual's condition, treatment, or payment information); financial information, such as checking account or other account number (either in combination with a required security code, access code, or password that would permit access to the account, or alone if the account does not require such an access code); or other identifying information, such as emai` addresses and usernames in combination with passwords or security questions, date of birth, mother's maiden name, digital signature, passport number, fingerprint or other biometric data, an insurance policy number, employment information, employment history, an employer, student, tribal, or military identification numbers. H. "Required by Law" means a mandate contained in law that compels Covered Entity or Business Associate to use or disclose PHI and that is enforceable in a court of law, including, but not limited to, court orders, court -ordered warrants and statutes and regulations. I. "Secretary" shall mean the Secretary of the Department of Ilealth and Human Services or his/her designee. J. "Security Incident" shall have the meaning provided in 45 C.F.R. § 164.304. K. Terms used but not otherwise defined in this Agreement sha- have the same meaning as given to those terms in the HIPAA Rules. A regulatory reference in this Agreement means the section as in effect or as amended, and for which compliance is required. 2e BUSINESS ASSOCIATE'S OBLIGATIONS. A. Permitted Use and Disclosure of PHI. 1. Business Associate shall use and disclose PHI only as permitted by this Agreement or as Required by Law. To the extent that Business Associate is to carry out one or more of Covered Entity's obligation(s) under the HIPAA Rules, Business Associate shall comply with the provisions in the HIPAA Rules that would apply to Covered Entity in the performance of such obligation(s). 2. Participant Agreement. _ i',xcept as otherwise limited in this Agreement, CORHIO may use or disclose Pill for, or on behalf of, Covered bintity, in the operation of the HI _ V, including but not limited to the following functions, services and activities that are implicit in the Participant Agreement (even if not specifically sta:ed): a) Managing authorized requests for, and disclosures of, PI II amongst Participants in the health information exchange; b) Creating and maintaining a master patient index; c) Providing a record locator or patient matching service; d) Standardizing data formats; e) Implementing policies and other business rules to assist in the automation of data exchange; f) Facilitating the identification and correction of errors in health information records; 2 CORHIO Master BAA (Updated June 2020) CORHIG COLORAD4 3E6IC>';AE ilE, fi ii i„FO&Idy?I "! ;%GA iilA !cin g) Aggregating data on behalf of multiple Participants, including to create, update, modify, transmit, standardize, maintain, or disclose a Continuity of Care Document; h) Developing new functionality of the health information exchange; i) Responding to permissible requests from public health authorities including for public health activities and facilitating the exchange of information between participants and public health authorities (e.g., immunization information systems); j) Any other use permitted or directed by the Participation Agreements; provided that such use or disclosure would not violate Applicable Law if done by the Covered Kntity or another Participant. B. Permitted Uses of PHI by CORHIO. CORHIO may use PIII i) for the proper management and administration of CORHIO, ii) to carry out its legal responsibilities, (iii) to create de -identified data consistent with 45 C.F.R. 164.514, and (iv) to provide Data Aggregation services to Covered Fintity and for the I Iealth Care Operations of the Participants. (See 45 CFR Sections 164.504(e) (2) (i), 164.504(e) (2) (ii) (A), and 164.504(e) (4) (i)) . C. Permitted Disclosures of PIII by CORHIO. CORHIO may only disclose PHI for the purpose of performing its respective obligations under this Agreement and as permitted under the Participant Agreement; provided, however, that CORHIO shall not disclose PIII in any manner that would constitute a violation of Applicable Law if so disclosed by Covered Entity or a Participant. F--i;xcept as otherwise limited in this Agreement, CORHIO may disclose PHI (i) for its proper management and administration, (ii) to carry out its legal responsibilities, (iii) as required by law, or (iv) for Data Aggregation purposes for the Health Care Operations of the Participants, or of CORHIO on behalf of the Participants. If CORHIO intends to disclose P1 -II to a third party, prior to making any such disclosure, CORHIO shall first obtain, (i) reasonable written assurances from such third party that such PHI will be held confidential as provided pursuant to this Agreement and Applicable Law and will only be disclosed as Required by Law or for the purposes for which it was disclosed to such third party, and (ii) a written agreement from such third party to immediately notify Business Associate of any instance of which the recipient is aware in which the confidentiality of the PHI has been breached. D. Safeguards. CORHIO shall implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentia: ity, integrity, and availability of the PHI that Business Associate creates, receives, maintains, uses, discloses, or transmits on behalf of Covered hintity, in accordance with all applicable provisions of the HIPAA Rules. Business Associate shall comply with the requirements in 45 C.F.R. Part 164, subpart C. CORHIO shall hincrypt, or cause the F'ncryption of, all ePHI they transmit or store such that such ePHI will not comprise Unsecured PIII as such term is used under the HITECH Act and the Breach Notification Rule. �;. Minimum Necessary. CORHIO, and its agents and subcontractors, will make reasonable efforts to use, disclose, or request only the minimum necessary PHI to accomplish the intended purpose (as described in 45 C.F.R. § 164.502(b) and § 164.514(d)). The Parties understand and agree that the definition of "minimum necessary" is in flux, and CORHIO agrees to keep itself informed of guidance issued by the Secretary with respect to what constitutes "m_i_ni_ um necessary." F. Incident Reporting: Business Associate shall report to Covered entity any of the following without unreasonable delay after Discovery by Business Associate or any Subcontractor: (i) any acquisition, access, use or disclosure of PHI not provided for in this Agreement or the Participant Agreement; (ii) any Security Incident involving PHI; (iii) any Breach of Unsecured PIII (collectively, an "Incident") . Business Associate shall implement reasonable systems for the Discovery and prompt reporting of any Incidents and shall train Business Associate personnel regarding the requirements under this Agreement. Notwithstanding the foregoing, the Parties agree that this Agreement serves as notification, and that no further notification is required, of the ongoing existence of Unsuccessful Security Incidents, defined to include, without limitation, activity such as pings and other broadcast attacks on Business Associate's 3 CORIIIO Master BAA (Updated June 2020) ©CORHIO CULUB.6U9 3(61U22AL HEALTif V0101;41.31 •71:6?i{ic'A1ItJ l firewall, port scans, unsuccessful log -in attempts, denial of service, and any combination of the above, so long as such activity does not result in unauthorized access, use, acquisition, or disclosure of PHI. G. Agents & Subcontractors. Business Associate shall ensure that any agent or subcontractor to whom it provides PITT agrees in writing to the same restrictions and conditions that apply throughout this Agreement to Business Associate. H. Access to PHI. To the extent that Business Associate possesses an applicable Designated Record Set, CORHIO shall provide access to PHI in a Designated Record Set to Covered Entity or, as directed by Covered Entity, to an Individual all in accordance with the requirements in 45 CFR §164.524, including providing or sending a copy to a designated third party and providing or sending a copy in electronic format. If an Individual requests access to PHI directly from Business Associate, Business Associate will forward such a request in writing to Covered Entity within a reasonable amount of time. Covered Entity will be responsible for making all determinations regarding the granting or denial of an Individual's request, and Business Associate shall make no such determinations. If Business Associate maintains PHI in electronic form, Business Associate shall provide such information in electronic format to Covered Entity if requested. I. Amendment of PHI. Business Associate shall make any amendment(s) to PHI in a Designated Record Set that Covered Entity, or a Participant acting through CORHIO, directs or agrees to pursuant to 45 CFR Section 164.526 at the request of an Individual, and in the time and manner reasonably designated by Covered Entity. If any Individual requests an amendment of Pill directly from CORHIO or its agents or subcontractors, CORHIO will notify the Covered Entity within a reasonable amount of time. Any approval or denial of amendment of PHI maintained by CORHIO or its agents or subcontractors shah be the responsibility of the affected Covered Entity in accordance with 45 CFR § 164.504(e)(2)(ii)(F)). J. Documentation and Accounting of Disclosures. Business Associate shall document such disclosures of PHI as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of PHI in accordance with 45 C.F.R. §164.528. Business Associate agrees to implement a process in the time and manner reasonably designated by Covered Entity that allows for an accounting to be collected and maintained by Business Associate and its agents or subcontractors. In addition, Business Associate agrees that (i) within a reasonable amount of time of receipt of a notice from Covered Entity requesting an accounting of PHI disclosures, Business Associate shall provide Covered Entity with records of such disclosures containing information as outlined in 45 C.F.R. §164.528(b); (ii) within a reasonable amount of time of receipt of a request by an Individual to Business Associate or its agents or subcontractors for an accounting of disclosures of PHI, Business Associate shall forward to Covered Entity any such requests in writing. Covered Entity shall be responsible for providing an accounting of PHI disclosures to the Individual. Business Associate will not provide an accounting of its disclosures directly to the Individual. K. Government Access. Upon request, Business Associate shall make its internal practices, books and records relating to the use and disclosure of Pill available to the Secretary to the extent required for determining Covered Entity's or Business Associates' compliance with the HIPAA Rules. L. State Law. Business Associate shall comply with applicable state law confidentiality, privacy, security, document retention, and breach notification requirements involving PI. Notwithstanding any provision to the contrary, the provisions of this Agreement shall apply equa `y with respect to PI as they do to PHI; provided, however, that to the extent that state law is more stringent than the HIPAA Rules or the terms of this Agreement, Business Associate agrees to comply with the requirement that provides more privacy and security protection to PI. 3. COVERED ENTITY'S OBLIGATIONS. A. Notice of Change in Privacy Practices. Covered Entity shall notify Business Associate of any limitation(s) in Covered Entity's notice of privacy practices in accordance with 45 C.F.R. §164.520, to the 4 CORHIO Master BAA (Updated June 2020) COLOOAN 3F.GIOfAL IltAin it;FOOG “IC•'I 9OG�.':}lktlfltl extent that such limitation may affect Business Associate's use or disclosure of PHI. Covered Entity shall provide such notice to CORHIO no later than ten (10) days prior to the effective date of the limitation. B. Notice of Change in Permissions. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission by an Individual to use or disclose PHI, to the extent that such changes may affect Business Associate's use or disclosure of PHI. Covered Entity shall provide such notice to CORHIO no later than ten (10) days prior to the effective date of the limitation. C. Notice of Change in Use. Covered Entity shall notify Business Associate of any restriction on the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 C.F.R. §164.522, to the extent that such restriction may affect Business Associate's use or disclosure of PHI. Covered Entity shall provide such notice to CORHIO no later than ten (10) days prior to the effective date of the limitation. D. Appropriate Requests. Except as otherwise permitted under this Agreement, Covered Entity shall not request that Business Associate use or disclose PIII in any manner that would not be permissible under Applicable Law if done by Covered Entity. 4o TERM AND TERMINATION A. Term. The term of this Agreement shall commence as of the Effective Date, and shall terminate at the time of the termination or expiration of the Participant Agreement, or earlier as provided herein. B. Termination for Cause. 1. Material Breach: If Covered Entity reasonably determines that Business Associate has materially breached this Agreement, Covered Entity may a) provide Business Associate with thirty (30) days written notice of the alleged material breach and an opportunity to cure the breach. If CORHIO fans to cure the breach or end the violation within the specified timeframe, Covered Entity may terminate this Agreement and the Participant Agreement; or b) immediately terminate this Agreement. 2. h ffect of Termination or Expiration. Within thirty (30) days after the expiration or termination for any reason of the Agreement, CORHIO shall return or destroy all applicable PHI, if feasible to do so, including all applicable PHI in possession of CORHIO's subcontractors. To the extent that CORHIO determines that returning or destroying the PHI is not feasible, CORHIO shall notify Covered Entity in writing of the reasons return or destruction is not feasible. Upon mutual agreement of the Parties that return or destruction of PHI is infeasible, CORHIO shall extend the protections for this Agreement to such PHI and limit further uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long as CORHIO maintains such PHI. 5. MISCELLANEOUS. A. Amendment. The Parties may amend this Agreement from time to time as is necessary to achieve and maintain compliance with Applicable Law, except that no agreement or other understanding in any way modifying the terms hereof will be binding unless made in writing as a modification or amendment to this Agreement and executed by each of the Parties. B. Interpretation. Any ambiguity in this Agreement shall be resolved to permit the Parties to comply with Applicable Law. C. Choice of Law. This Agreement shall be governed by the laws of the state of Colorado without regard to conflict of laws principles thereof. D. Relationship to Agreements with Covered Entity. In the event that a provision of this Agreement is contrary to a provision of any other agreement between Business Associate and Covered Entity (including any inconsistences in defined or capita ized terms), this Agreement shall control. 5 CORI IIO Master BAA (Updated June 2020) CORHIO ;OLBRA04 RE6108A1 HEALTH :£,FOPiJ.Tt?1 MG,INIZATlO'! h. Survival. Business Associate's obligations under Sections 2 and 4.B2 of this Agreement shall survive the termination of this Agreement. F. No Third Party Beneficiaries. Nothing express or implied in this Agreement is intended to confer, nor shall anything herein confer, upon any person other than Covered Kntity, Business Associate and their respective successors and assigns, any rights, remedies, obligations or liabilities whatsoever. G. Judicial or Administrative Proceeding. Business Associate shall notify Covered F ntity if it is named as a defendant in a criminal proceeding for a violation of the HIPAA Rules. H. Entire Agreement. This Agreement constitutes the entire agreement between the Parties with respect to its subject matter and merges, integrates and supersedes all prior and contemporaneous agreements, addenda and understandings between the Parties, whether written (including within any Services Agreements) or oral, concerning its subject matter. Signature Page Follows 6 CORHIO Master BAA (Updated June 2020) IC)CORH1O" COLORADO REGIONAL NEALTH INFORNATION ORGANIZATION BUSINESS ASSOCIATE AGREEMENT Signature Page FOR COVERED ENTITY: County of Weld, Colorado Weld County Coroner's Office by and thru the Board of Co x .ty Commissioners Signed: ,- flotcr€r Name: Steve Moreno Title: BOCC Chair., Date: MAY172021 FOR CORHIO: Colorado Regional Health Information Organization Signed: Name: Title: Date: 7 CORHIO Master BAA (Updated June 2020) o2 I /313 HEALTH INFORMATION EXCHANGE PARTICIPANT AGREEMENT AND BUSINESS ASSOCIATE AGREEMENT - COLORADO REGIONAL HEALTH INFORMATION ORGANIZATION (CORHIO) APPROVED AS TO SUBSTANCE: Elected Official or Department Head APPROVED AS TO FUNDING: Controller APP:': VED AS TO ORM: County Attorney Hello